compliance controls are associated with this Policy definition 'Storage account containing the container with activity logs must be encrypted with BYOK' (fbb99e8e-e444-4da0-9ff1-75c92f5a85b2)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
CIS_Azure_1.1.0 |
5.1.6 |
CIS_Azure_1.1.0_5.1.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6 |
5 Logging and Monitoring |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) |
Shared |
The customer is responsible for implementing this recommendation. |
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). |
link |
4 |
CIS_Azure_1.3.0 |
5.1.4 |
CIS_Azure_1.3.0_5.1.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 |
5 Logging and Monitoring |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) |
Shared |
The customer is responsible for implementing this recommendation. |
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). |
link |
4 |
CIS_Azure_1.4.0 |
5.1.4 |
CIS_Azure_1.4.0_5.1.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 |
5 Logging and Monitoring |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) |
Shared |
The customer is responsible for implementing this recommendation. |
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). |
link |
4 |
CIS_Azure_2.0.0 |
5.1.4 |
CIS_Azure_2.0.0_5.1.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 |
5.1 |
Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key |
Shared |
**NOTE:** You must have your key vault setup to utilize this.
All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure. |
Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).
Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK. |
link |
4 |
NZ_ISM_v3.5 |
AC-19 |
NZ_ISM_v3.5_AC-19 |
NZISM Security Benchmark AC-19 |
Access Control and Passwords |
16.6.12 Event log protection |
Customer |
n/a |
Effective log protection and storage (possibly involving the use of a dedicated event logging server) will help ensure the integrity and availability of the collected logs when they are audited. |
link |
1 |
RBI_ITF_NBFC_v2017 |
3.1.g |
RBI_ITF_NBFC_v2017_3.1.g |
RBI IT Framework 3.1.g |
Information and Cyber Security |
Trails-3.1 |
|
n/a |
The IS Policy must provide for a IS framework with the following basic tenets:
Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail. |
link |
36 |
RMiT_v1.0 |
10.53 |
RMiT_v1.0_10.53 |
RMiT 10.53 |
Cloud Services |
Cloud Services - 10.53 |
Shared |
n/a |
A financial institution must implement appropriate safeguards on customer and counterparty information and proprietary data when using cloud services to protect against unauthorised disclosure and access. This shall include retaining ownership, control and management of all data pertaining to customer and counterparty information, proprietary data and services hosted on the cloud, including the relevant cryptographic keys management. |
link |
14 |
SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
78 |
SWIFT_CSCF_v2022 |
6.4 |
SWIFT_CSCF_v2022_6.4 |
SWIFT CSCF v2022 6.4 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Record security events and detect anomalous actions and operations within the local SWIFT environment. |
Shared |
n/a |
Capabilities to detect anomalous activity are implemented, and a process or tool is in place to keep and review logs. |
link |
51 |