AzInitiativeAdvertizer

last sync: 2024-Jul-26 18:18:00 UTC

ISO 27001:2013

Azure BuiltIn Policy Initiative (PolicySet)

Source

Azure Portal

Display name

ISO 27001:2013

89c6cddc-1c73-4ac1-b19c-54d1a15a42f2

Version

8.2.0
Details on versioning

Category

Regulatory Compliance
Microsoft Learn

Description

The International Organization for Standardization (ISO) 27001 standard provides requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). These policies address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init

Type

BuiltIn

Deprecated

False

Preview

False

Policy count

Total Policies: 459
Builtin Policies: 459
Static Policies: 0

Policy used

Policy DisplayName	Policy Id	Category	Effect	Roles#	Roles	State
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images	32133ab0-ee4b-4b44-98d6-042180979d50	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		Preview
A maximum of 3 owners should be designated for your subscription	4f11b553-d42e-4e3a-89be-32ca364cad4c	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
A vulnerability assessment solution should be enabled on your virtual machines	501541f7-f7e7-4cd6-868c-4190fdad3ac9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Accounts with owner permissions on Azure resources should be MFA enabled	e3e008c3-56b9-4133-8fd7-d3347377402a	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Accounts with read permissions on Azure resources should be MFA enabled	81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Accounts with write permissions on Azure resources should be MFA enabled	931e118d-50a1-4457-a5e4-78550e086c52	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Adaptive application controls for defining safe applications should be enabled on your machines	47a6b606-51aa-4496-8bb7-64b11cf66adc	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities	3cf2ab00-13f1-4d0c-8971-2ac904541a7e	Guest Configuration	Fixed modify	1	Contributor	GA
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity	497dff13-db2a-4c0f-8603-28fa3b331ab6	Guest Configuration	Fixed modify	1	Contributor	GA
Address coding vulnerabilities	318b2bd9-9c39-9f8b-46a7-048401f33476	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Adhere to retention periods defined	1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Adjust level of audit review, analysis, and reporting	de251b09-4a5e-1204-4bef-62ac58d47999	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Adopt biometric authentication mechanisms	7d7a8356-5c34-9a95-3118-1424cfaf192a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Alert personnel of information spillage	9622aaa9-5c49-40e2-5bf8-660b7cd23deb	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Align business objectives and IT goals	ab02bb73-4ce1-89dd-3905-d93042809ba0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
All network ports should be restricted on network security groups associated to your virtual machine	9daedab3-fb2d-461e-b861-71790eead4f6	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Allocate resources in determining information system requirements	90a156a6-49ed-18d1-1052-69aac27c05cd	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
An Azure Active Directory administrator should be provisioned for SQL servers	1f314764-cb73-4fc9-b863-8eca98ac36e9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
App Service apps should only be accessible over HTTPS	a4af4a39-4135-47fb-b175-47fbdf85311d	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA
Appoint a senior information security officer	c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Assess information security events	37b0045b-3887-367b-8b4d-b9a6fa911bb9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Assess risk in third party relationships	0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Assess Security Controls	c423e64d-995c-9f67-0403-b540f65ba42a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Assign account managers	4c6df5ff-4ef2-4f17-a516-0da9189c603b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Assign an authorizing official (AO)	e29a8f1b-149b-2fa3-969d-ebee1baa9472	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Assign system identifiers	f29b17a4-0df2-8a50-058a-8570f9979d28	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Audit diagnostic setting for selected resource types	7f89b1eb-583c-429a-8828-af049802c1d9	Monitoring	Fixed AuditIfNotExists	0		GA
Audit Linux machines that allow remote connections from accounts without passwords	ea53dbee-c6c9-4f0e-9f9e-de0039b78023	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Linux machines that do not have the passwd file permissions set to 0644	e6955644-301c-44b5-a4c4-528577de6861	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Linux machines that have accounts without passwords	f6ec09a3-78bf-4f8f-99dc-6c77182d0f99	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit privileged functions	f26af0b1-65b6-689a-a03f-352ad2d00f98	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Audit usage of custom RBAC roles	a451c1ef-c6ca-483d-87ed-f49761e3ffb5	General	Default Audit Allowed Audit, Disabled	0		GA
Audit user account status	49c23d9b-02b0-0e42-4f94-e8cef1b8381b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Audit VMs that do not use managed disks	06a78e20-9358-41c9-923c-fb736d382a4d	Compute	Fixed audit	0		GA
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	5b054a0d-39e2-4d53-bea3-9734cad2c69b	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not have the maximum password age set to specified number of days	4ceb8dc2-559c-478b-a15b-733fbf1e3738	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not have the minimum password age set to specified number of days	237b38db-ca4d-4259-9e47-7882441ca2c0	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not have the password complexity setting enabled	bf16e0bb-31e1-4646-8202-60a235cc7e74	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not restrict the minimum password length to specified number of characters	a2d0e922-65d0-40c4-8f87-ea6da2d307a2	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Audit Windows machines that do not store passwords using reversible encryption	da0f98fe-a24b-4ad5-af69-bd0400233661	Guest Configuration	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Auditing on SQL server should be enabled	a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Authenticate to cryptographic module	6f1de470-79f3-1572-866e-db0771352fc8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Authorize access to security functions and information	aeed863a-0f56-429f-945d-8bb66bd06841	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Authorize and manage access	50e9324a-7410-0539-0662-2c1e775538b7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Authorize remote access	dad8a2e9-6f27-4fc2-8933-7e99fe700c9c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Authorize, monitor, and control voip	e4e1f896-8a93-1151-43c7-0ad23b081ee2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate account management	2cc9c165-46bd-9762-5739-d2aae5ba90a1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate approval request for proposed changes	575ed5e8-4c29-99d0-0e4d-689fb1d29827	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate implementation of approved change notifications	c72fc0c8-2df8-7506-30be-6ba1971747e1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate process to document implemented changes	43ac3ccb-4ef6-7d63-9a3f-6848485ba4e8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate process to highlight unreviewed change proposals	92b49e92-570f-1765-804a-378e6c592e28	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate process to prohibit implementation of unapproved changes	7d10debd-4775-85a7-1a41-7e128e0e8c50	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate proposed documented changes	5c40f27b-6791-18c5-3f85-7b863bd99c11	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automate remote maintenance activities	b8587fce-138f-86e8-33a3-c60768bf1da6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Automation account variables should be encrypted	3657f5a0-770e-44a3-b44e-9431ba1e9735	Automation	Default Audit Allowed Audit, Deny, Disabled	0		GA
Block untrusted and unsigned processes that run from USB	3d399cf3-8fc6-0efc-6ab0-1412f1198517	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Blocked accounts with owner permissions on Azure resources should be removed	0cfea604-3201-4e14-88fc-fae4c427a6c5	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Blocked accounts with read and write permissions on Azure resources should be removed	8d7e1fde-fe26-4b5f-8108-f8e432cbc2be	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Categorize information	93fa357f-2e38-22a9-5138-8cc5124e1923	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Check for privacy and security compliance before establishing internal connections	ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Clear personnel with access to classified information	c42f19c9-5d88-92da-0742-371a0ea03126	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Communicate contingency plan changes	a1334a65-2622-28ee-5067-9d7f5b915cc5	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Compile Audit records into system wide audit	214ea241-010d-8926-44cc-b90a96d52adc	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Conduct a full text analysis of logged privileged commands	8eea8c14-4d93-63a3-0c82-000343ee5204	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Conduct a security impact analysis	203101f5-99a3-1491-1b56-acccd9b66a9e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Conduct backup of information system documentation	b269a749-705e-8bff-055a-147744675cdf	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Conduct capacity planning	33602e78-35e3-4f06-17fb-13dd887448e4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Conduct exit interview upon termination	496b407d-9b9e-81e8-4ba4-44bc686b016a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Conduct Risk Assessment	677e1da4-00c3-287a-563d-f4a1cf9b99a0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Conduct risk assessment and distribute its results	d7c1ecc3-2980-a079-1569-91aec8ac4a77	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Conduct risk assessment and document its results	1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Configure Azure Audit capabilities	a3e98638-51d4-4e28-910a-60e98c1a756f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Configure detection whitelist	2927e340-60e4-43ad-6b5f-7a1468232cc2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Configure workstations to check for digital certificates	26daf649-22d1-97e9-2a8a-01b182194d59	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Control information flow	59bedbdc-0ba9-39b9-66bb-1d1c192384e6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Control maintenance and repair activities	b6ad009f-5c24-1dc0-a25e-74b60e4da45f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Control physical access	55a7f9a0-6397-7589-05ef-5ed59a8149e7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Control use of portable storage devices	36b74844-4a99-4c80-1800-b18a516d1585	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Coordinate contingency plans with related plans	c5784049-959f-6067-420c-f4cefae93076	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Correlate audit records	10874318-0bf7-a41f-8463-03e395482080	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Create a data inventory	043c1e56-5a16-52f8-6af8-583098ff3e60	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Create configuration plan protection	874a6f2e-2098-53bc-3a16-20dcdc425a7e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Create separate alternate and primary storage sites	81b6267b-97a7-9aa5-51ee-d2584a160424	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define a physical key management process	51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define access authorizations to support separation of duties	341bc9f1-7489-07d9-4ec6-971573e1546a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define and document government oversight	cbfa1bd0-714d-8d6f-0480-2ad6a53972df	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define cryptographic use	c4ccd607-702b-8ae6-8eeb-fc3339cd4b42	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define information security roles and responsibilities	ef5a7059-6651-73b1-18b3-75b1b79c1565	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define information system account types	623b5f0a-8cbd-03a6-4892-201d27302f0c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define mobile device requirements	9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define organizational requirements for cryptographic key management	d661e9eb-4e15-5ba1-6f02-cdc467db0d6c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define performance metrics	39999038-9ef1-602a-158c-ce2367185230	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define requirements for managing assets	25a1f840-65d0-900a-43e4-bee253de04de	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define requirements for supplying goods and services	2b2f3a72-9e68-3993-2b69-13dcdecf8958	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Define the duties of processors	52375c01-4d4c-7acc-3aa4-5b3d53a047ec	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Deliver security assessment results	8e49107c-3338-40d1-02aa-d524178a2afe	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Dependency agent should be enabled for listed virtual machine images	11ac78e3-31bc-4f0c-8434-37ab963cea07	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images	e2dd799a-a932-4e9d-ac17-d473bc3c6c10	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs	331e8ea8-378a-410f-a2e5-ae22f38bb0da	Guest Configuration	Fixed deployIfNotExists	1	Contributor	GA
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs	385f5831-96d4-41db-9a3c-cd3af78aaae6	Guest Configuration	Fixed deployIfNotExists	1	Contributor	GA
Design an access control model	03b6427e-6072-4226-4bd9-a410ab65317e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Designate authorized personnel to post publicly accessible information	b4512986-80f5-1656-0c58-08866bd2673a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Designate individuals to fulfill specific roles and responsibilities	8b077bff-516f-3983-6c42-c86e9a11868b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Designate personnel to supervise unauthorized maintenance activities	7a489c62-242c-5db9-74df-c073056d6fa3	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Determine assertion requirements	7a0ecd94-3699-5273-76a5-edb8499f655a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Determine auditable events	2f67e567-03db-9d1f-67dc-b6ffb91312f4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Determine supplier contract obligations	67ada943-8539-083d-35d0-7af648974125	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop a concept of operations (CONOPS)	e7422f08-65b4-50e4-3779-d793156e0079	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop acceptable use policies and procedures	42116f15-5665-a52a-87bb-b40e64c74b6c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop access control policies and procedures	59f7feff-02aa-6539-2cf7-bea75b762140	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop an incident response plan	2b4e134f-1e4c-2bff-573e-082d85479b6e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop and document a business continuity and disaster recovery plan	bd6cbcba-4a2d-507c-53e3-296b5c238a8e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop and document application security requirements	6de65dc4-8b4f-34b7-9290-eb137a2e2929	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop and establish a system security plan	b2ea1058-8998-3dd1-84f1-82132ad482fd	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop and maintain a vulnerability management standard	055da733-55c6-9e10-8194-c40731057ec4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop and maintain baseline configurations	2f20840e-7925-221c-725d-757442753e7c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop audit and accountability policies and procedures	a28323fe-276d-3787-32d2-cef6395764c4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop business classification schemes	11ba0508-58a8-44de-5f3a-9e05d80571da	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop configuration item identification plan	836f8406-3b8a-11bb-12cb-6c7fa0765668	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop configuration management plan	04837a26-2601-1982-3da7-bf463e6408f4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop contingency plan	aa305b4d-8c84-1754-0c74-dec004e66be0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop contingency planning policies and procedures	75b42dcf-7840-1271-260b-852273d7906e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop information security policies and procedures	af227964-5b8b-22a2-9364-06d2cb9d6d7c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop organization code of conduct policy	d02498e0-8a6f-6b02-8332-19adf6711d1e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop POA&M	477bd136-7dd9-55f8-48ac-bae096b86a07	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop security assessment plan	1c258345-5cd4-30c8-9ef3-5ee4dd5231d6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop security safeguards	423f6d9c-0c73-9cc6-64f4-b52242490368	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Develop SSP that meets criteria	6b957f60-54cd-5752-44d5-ff5a64366c93	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Disable authenticators upon termination	d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Discover any indicators of compromise	07b42fb5-027e-5a3c-4915-9d9ef3020ec7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Disseminate security alerts to personnel	9c93ef57-7000-63fb-9b74-88f2e17ca5d2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Distribute information system documentation	84a01872-5318-049e-061e-d56734183e84	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Distribute policies and procedures	eff6e4a5-3efe-94dd-2ed1-25d56a019a82	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document access privileges	a08b18c7-9e0a-89f1-3696-d80902196719	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document acquisition contract acceptance criteria	0803eaa7-671c-08a7-52fd-ac419f775e75	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document and distribute a privacy policy	ee67c031-57fc-53d0-0cca-96c4c04345e8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document and implement privacy complaint procedures	eab4450d-9e5c-4f38-0656-2ff8c78c83f3	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document and implement wireless access guidelines	04b3e7f6-4841-888d-4799-cda19a0084f6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document customer-defined actions	8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document mobility training	83dfb2b8-678b-20a0-4c44-5c75ada023e6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document organizational access agreements	c981fa70-2e58-8141-1457-e7f62ebc2ade	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document personnel acceptance of privacy requirements	271a3e58-1b38-933d-74c9-a580006b80aa	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document protection of personal data in acquisition contracts	f9ec3263-9562-1768-65a1-729793635a8d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document protection of security information in acquisition contracts	d78f95ba-870a-a500-6104-8a5ce2534f19	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document remote access guidelines	3d492600-27ba-62cc-a1c3-66eb919f6a0d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document requirements for the use of shared data in contracts	0ba211ef-0e85-2a45-17fc-401d1b3f8f85	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document security and privacy training activities	524e7136-9f6a-75ba-9089-501018151346	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document security assurance requirements in acquisition contracts	13efd2d7-3980-a2a4-39d0-527180c009e8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document security documentation requirements in acquisition contract	a465e8e9-0095-85cb-a05f-1dd4960d02af	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document security functional requirements in acquisition contracts	57927290-8000-59bf-3776-90c468ac5b4b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document security operations	2c6bee3a-2180-2430-440d-db3c7a849870	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document security strength requirements in acquisition contracts	ebb0ba89-6d8c-84a7-252b-7393881e43de	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document separation of duties	e6f7b584-877a-0d69-77d4-ab8b923a9650	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document the information system environment in acquisition contracts	c148208b-1a6f-a4ac-7abc-23b1d41121b1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document the legal basis for processing personal information	79c75b38-334b-1a69-65e0-a9d929a42f75	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document the protection of cardholder data in third party contracts	77acc53d-0f67-6e06-7d04-5750653d4629	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Document third-party personnel security requirements	b320aa42-33b4-53af-87ce-100091d48918	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Employ a media sanitization mechanism	eaaae23f-92c9-4460-51cf-913feaea4d52	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Employ automated training environment	c8aa992d-76b7-7ca0-07b3-31a58d773fa9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Employ automatic emergency lighting	aa892c0d-2c40-200c-0dd8-eac8c4748ede	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Employ boundary protection to isolate information systems	311802f9-098d-0659-245a-94c5d47c0182	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Employ business case to record the resources required	2d14ff7e-6ff9-838c-0cde-4962ccdb1689	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Employ flow control mechanisms of encrypted information	79365f13-8ba4-1f6c-2ac4-aa39929f56d0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Employ independent assessors to conduct security control assessments	b65c5d8e-9043-9612-2c17-65f231d763bb	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Employ independent team for penetration testing	611ebc63-8600-50b6-a0e3-fef272457132	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Employ least privilege access	1bc7fd64-291f-028e-4ed6-6e07886e163f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enable detection of network devices	426c172c-9914-10d1-25dd-669641fc1af4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enable dual or joint authorization	2c843d78-8f64-92b5-6a9b-e8186c0e7eb6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enable network protection	8c255136-994b-9616-79f5-ae87810e0dcf	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce a limit of consecutive failed login attempts	b4409bff-2287-8407-05fd-c73175a68302	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce and audit access restrictions	8cd815bf-97e1-5144-0735-11f6ddb50a59	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce logical access	10c4210b-3ec9-9603-050d-77e4d26c7ebb	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce mandatory and discretionary access control policies	b1666a13-8f67-9c47-155e-69e027ff6823	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce rules of behavior and access agreements	509552f5-6528-3540-7959-fbeae4832533	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce security configuration settings	058e9719-1ff9-3653-4230-23f76b6492e0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Enforce user uniqueness	e336d5f4-4d8f-0059-759c-ae10f63d1747	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Ensure access agreements are signed or resigned timely	e7589f4e-1e8b-72c2-3692-1e14d7f3699f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Ensure alternate storage site safeguards are equivalent to primary site	178c8b7e-1b6e-4289-44dd-2f1526b678a1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Ensure capital planning and investment requests include necessary resources	464a7d7a-2358-4869-0b49-6d582ca21292	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Ensure information system fails in known state	12af7c7a-92af-9e96-0d0c-5e732d1a3751	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Ensure privacy program information is publicly available	1beb1269-62ee-32cd-21ad-43d6c9750eb6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Ensure resources are authorized	0716f0f5-4955-2ccb-8d5e-c6be14d57c0f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Ensure security categorization is approved	6c79c3e5-5f7b-a48a-5c7b-8c158bc01115	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Ensure security safeguards not needed when the individuals return	1fdf0b24-4043-3c55-357e-036985d50b52	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Ensure there are no unencrypted static authenticators	eda0cbb7-6043-05bf-645b-67411f1a59b3	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Eradicate contaminated information	54a9c072-4a93-2a03-6a43-a060d30383d7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a data leakage management procedure	3c9aa856-6b86-35dc-83f4-bc72cec74dea	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a discrete line item in budgeting documentation	06af77de-02ca-0f3e-838a-a9420fe466f5	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a password policy	d8bbd80e-3bb1-5983-06c2-428526ec6a63	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a privacy program	39eb03c1-97cc-11ab-0960-6209ed2869f7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a risk management strategy	d36700f2-2f0d-7c2a-059c-bdadd1d79f70	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a secure software development program	e750ca06-1824-464a-2cf3-d0fa754d1cb4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish a threat intelligence program	b0e3035d-6366-2e37-796e-8bcab9c649e6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish alternate storage site to store and retrieve backup information	0a412110-3874-9f22-187a-c7a81c8a6704	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish an alternate processing site	af5ff768-a34b-720e-1224-e6b3214f3ba6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish an information security program	84245967-7882-54f6-2d34-85059f725b47	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish and document a configuration management plan	526ed90e-890f-69e7-0386-ba5c0f1f784f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish and document change control processes	bd4dc286-2f30-5b95-777c-681f3a7913d3	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish and maintain an asset inventory	27965e62-141f-8cca-426f-d09514ee5216	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish authenticator types and processes	921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish backup policies and procedures	4f23967c-a74b-9a09-9dc2-f566f61a87b9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish conditions for role membership	97cfd944-6f0c-7db2-3796-8e890ef70819	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish configuration management requirements for developers	8747b573-8294-86a0-8914-49e9b06a5ace	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish electronic signature and certificate requirements	6f3866e8-6e12-69cf-788c-809d426094a1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish firewall and router configuration standards	398fdbd8-56fd-274d-35c6-fa2d3b2755a1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish information security workforce development and improvement program	b544f797-a73b-1be3-6d01-6b1a085376bc	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish network segmentation for card holder data environment	f476f3b0-4152-526e-a209-44e5f8c968d7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish policies for supply chain risk management	9150259b-617b-596d-3bf5-5ca3fce20335	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish privacy requirements for contractors and service providers	f8d141b7-4e21-62a6-6608-c79336e36bc9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish procedures for initial authenticator distribution	35963d41-4263-0ef9-98d5-70eb058f9e3c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish requirements for audit review and reporting	b3c8cc83-20d3-3890-8bc8-5568777670f4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish requirements for internet service providers	5f2e834d-7e40-a4d5-a216-e49b16955ccf	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish security requirements for the manufacturing of connected devices	afbecd30-37ee-a27b-8e09-6ac49951a0ee	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish terms and conditions for accessing resources	3c93dba1-84fd-57de-33c7-ef0400a08134	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish terms and conditions for processing resources	5715bf33-a5bd-1084-4e19-bc3c83ec1c35	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Establish third-party personnel security requirements	3881168c-5d38-6f04-61cc-b5d87b2c4c58	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Execute actions in response to information spills	ba78efc6-795c-64f4-7a02-91effbd34af9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Explicitly notify use of collaborative computing devices	62fa14f0-4cbe-762d-5469-0899a99b98aa	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Function apps should only be accessible over HTTPS	6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab	App Service	Default Audit Allowed Audit, Disabled, Deny	0		GA
Generate error messages	c2cb4658-44dc-9d11-3dad-7c6802dd5ba3	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Generate internal security alerts	171e377b-5224-4a97-1eaa-62a3b5231dac	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Govern and monitor audit processing activities	333b4ada-4a02-0648-3d4d-d812974f1bb2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Govern compliance of cloud service providers	5c33538e-02f8-0a7f-998b-a4c1e22076d3	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Govern policies and procedures	1a2a03a4-9992-5788-5953-d8f6615306de	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Govern the allocation of resources	33d34fac-56a8-1c0f-0636-3ed94892a709	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Guest accounts with owner permissions on Azure resources should be removed	339353f6-2387-4a45-abe4-7f529d121046	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Guest accounts with write permissions on Azure resources should be removed	94e1c2ac-cbbe-4cac-a2b5-389c812dee87	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Identify actions allowed without authentication	92a7591f-73b3-1173-a09c-a08882d84c70	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Identify and authenticate network devices	ae5345d5-8dab-086a-7290-db43a3272198	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Identify and authenticate non-organizational users	e1379836-3492-6395-451d-2f5062e14136	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Identify and manage downstream information exchanges	c7fddb0e-3f44-8635-2b35-dc6b8e740b7c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Identify and mitigate potential issues at alternate storage site	13939f8c-4cd5-a6db-9af4-9dfec35e3722	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Identify external service providers	46ab2c5e-6654-1f58-8c83-e97a44f39308	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Identify individuals with security roles and responsibilities	0dcbaf2f-075e-947b-8f4c-74ecc5cd302c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement a fault tolerant name/address service	ced727b3-005e-3c5b-5cd5-230b79d56ee8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement an automated configuration management tool	33832848-42ab-63f3-1a55-c0ad309d44cd	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement controls to protect PII	cf79f602-1e60-5423-6c0c-e632c2ea1fc0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement controls to secure all media	e435f7e3-0dd9-58c9-451f-9b44b96c0232	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement controls to secure alternate work sites	cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement formal sanctions process	5decc032-95bd-2163-9549-a41aba83228e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement incident handling	433de59e-7a53-a766-02c2-f80f8421469a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement managed interface for each external service	b262e1dd-08e9-41d4-963a-258909ad794b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement methods for consumer requests	b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement parameters for memorized secret verifiers	3b30aa25-0f19-6c04-5ca4-bd3f880a763d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement personnel screening	e0c480bf-0d68-a42d-4cbb-b60f851f8716	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement physical security for offices, working areas, and secure areas	05ec66a2-137c-14b8-8e75-3d7a2bef07f8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement plans of action and milestones for security program process	d93fe1be-13e4-421d-9c21-3158e2fa2667	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement privacy notice delivery methods	06f84330-4c27-21f7-72cd-7488afd50244	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement security directives	26d178a4-9261-6f04-a100-47ed85314c6e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement security engineering principles of information systems	df2e9507-169b-4114-3a52-877561ee3198	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement system boundary protection	01ae60e2-38bb-0a32-7b20-d3a091423409	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement the risk management strategy	c6fe3856-4635-36b6-983c-070da12a953b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement training for protecting authenticators	e4b00788-7e1c-33ec-0418-d048508e095b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Implement transaction based recovery	ba02d0a0-566a-25dc-73f1-101c726a19c5	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Incorporate flaw remediation into configuration management	34aac8b2-488a-2b96-7280-5b9b481a317a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Incorporate security and data privacy practices in research processing	834b7a4a-83ab-2188-1a26-9c5033d8173b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Information flow control using security policy filters	13ef3484-3a51-785a-9c96-500f21f84edd	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Initiate contingency plan testing corrective actions	8bfdbaa6-6824-3fec-9b06-7961bf7389a6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Initiate transfer or reassignment actions	b8a9bb2f-7290-3259-85ce-dca7d521302d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Install an alarm system	aa0ddd99-43eb-302d-3f8f-42b499182960	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Integrate audit review, analysis, and reporting	f741c4e6-41eb-15a4-25a2-61ac7ca232f0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Integrate cloud app security with a siem	9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Integrate risk management process into SDLC	00f12b6f-10d7-8117-9577-0f2b76488385	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Issue public key certificates	97d91b33-7050-237b-3e23-a77d57d84e13	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Limit privileges to make changes in production environment	2af551d5-1775-326a-0589-590bfb7e9eb2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images	5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138	Monitoring	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Maintain data breach records	0fd1ca29-677b-2f12-1879-639716459160	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Maintain incident response plan	37546841-8ea1-5be0-214d-8ac599588332	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Maintain list of authorized remote maintenance personnel	4ce91e4e-6dab-3c46-011a-aa14ae1561bf	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Maintain records of processing of personal data	92ede480-154e-0e22-4dca-8b46a74a3a51	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage a secure surveillance camera system	f2222056-062d-1060-6dc2-0107a68c34b2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage authenticator lifetime and reuse	29363ae1-68cd-01ca-799d-92c9197c8404	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage Authenticators	4aacaec9-0628-272c-3e83-0d68446694e0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage compliance activities	4e400494-53a5-5147-6f4d-718b539c7394	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage contacts for authorities and special interest groups	5269d7e4-3768-501d-7e46-66c56c15622c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage gateways	63f63e71-6c3f-9add-4c43-64de23e554a7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage maintenance personnel	b273f1e3-79e7-13ee-5b5d-dca6c66c3d5d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage nonlocal maintenance and diagnostic activities	1fb1cb0e-1936-6f32-42fd-89970b535855	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage security state of information systems	6baae474-434f-2e91-7163-a72df30c4847	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage symmetric cryptographic keys	9c276cf3-596f-581a-7fbd-f5e46edaa0f4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage system and admin accounts	34d38ea7-6754-1838-7031-d7fd07099821	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage the input, output, processing, and storage of data	e603da3a-8af7-4f8a-94cb-1bcc0e0333d2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Manage the transportation of assets	4ac81669-00e2-9790-8648-71bc11bc91eb	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Modify access authorizations upon personnel transfer	979ed3b6-83f9-26bc-4b86-5b05464700bf	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Monitor access across the organization	48c816c5-2190-61fc-8806-25d6f3df162f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Monitor account activity	7b28ba4f-0a87-46ac-62e1-46b7c09202a8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Monitor missing Endpoint Protection in Azure Security Center	af6cd1bd-1635-48cb-bde7-5b15693900b9	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Monitor privileged role assignment	ed87d27a-9abf-7c71-714c-61d881889da4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Monitor security and privacy training completion	82bd024a-5c99-05d6-96ff-01f539676a1a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Monitor third-party provider compliance	f8ded0c6-a668-9371-6bb6-661d58787198	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Not allow for information systems to accompany with individuals	41172402-8d73-64c7-0921-909083c086b0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Notify Account Managers of customer controlled accounts	4b8fd5da-609b-33bf-9724-1c946285a14c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Notify personnel upon sanctions	6228396e-2ace-7ca5-3247-45767dbf52f4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Notify upon termination or transfer	c79d378a-2521-822a-0407-57454f8d2c74	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Notify users of system logon or access	fe2dff43-0a8c-95df-0432-cb1c794b17d0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Notify when account is not needed	8489ff90-8d29-61df-2d84-f9ab0f4c5e84	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Obscure feedback information during authentication process	1ff03f2a-974b-3272-34f2-f6cd51420b30	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Obtain Admin documentation	3f1216b0-30ee-1ac9-3899-63eb744e85f5	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Obtain consent prior to collection or processing of personal data	069101ac-4578-31da-0cd4-ff083edd3eb4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Obtain legal opinion for monitoring system activities	d9af7f88-686a-5a8b-704b-eafdab278977	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Obtain user security function documentation	be1c34ab-295a-07a6-785c-36f63c1d223e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Only secure connections to your Azure Cache for Redis should be enabled	22bee202-a82f-4305-9a2a-6d7f44d4dedb	Cache	Default Audit Allowed Audit, Deny, Disabled	0		GA
Perform a privacy impact assessment	d18af1ac-0086-4762-6dc8-87cdded90e39	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Perform a risk assessment	8c5d3d8d-5cba-0def-257c-5ab9ea9644dc	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Perform a trend analysis on threats	50e81644-923d-33fc-6ebb-9733bc8d1a06	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Perform audit for configuration change control	1282809c-9001-176b-4a81-260a085f4872	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Perform disposition review	b5a4be05-3997-1731-3260-98be653610f6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Perform information input validation	8b1f29eb-1b22-4217-5337-9207cb55231e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Perform vulnerability scans	3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Plan for continuance of essential business functions	d9edcea6-6cb8-0266-a48c-2061fbac4310	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Plan for resumption of essential business functions	7ded6497-815d-6506-242b-e043e0273928	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Prevent identifier reuse for the defined time period	4781e5fd-76b8-7d34-6df3-a0a7fca47665	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Prevent split tunneling for remote devices	66e5cb69-9f1c-8b8d-8fbd-b832466d5aa8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Produce complete records of remote maintenance activities	74041cfe-3f87-1d17-79ec-34ca5f895542	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Produce Security Assessment report	70a7a065-a060-85f8-7863-eb7850ed2af9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Produce, control and distribute asymmetric cryptographic keys	de077e7e-0cc8-65a6-6e08-9ab46c827b05	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Prohibit remote activation of collaborative computing devices	678ca228-042d-6d8e-a598-c58d5670437d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Prohibit unfair practices	5fe84a4c-1b0c-a738-2aba-ed49c9069d3b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect administrator and user documentation	09960521-759e-5d12-086f-4192a72a5e92	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect against and prevent data theft from departing employees	80a97208-264e-79da-0cc7-4fca179a0c9c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect audit information	0e696f5a-451f-5c15-5532-044136538491	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect data in transit using encryption	b11697e8-9515-16f1-7a35-477d5c8a1344	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect incident response plan	2401b496-7f23-79b2-9f80-89bb5abf3d4a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect passwords with encryption	b2d3e5a2-97ab-5497-565a-71172a729d93	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect special information	a315c657-4a00-8eba-15ac-44692ad24423	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect the information security program plan	2e7a98c9-219f-0d58-38dc-d69038224442	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Protect wireless access	d42a8f69-a193-6cbc-48b9-04a9e29961f1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide contingency training	de936662-13dc-204c-75ec-1af80f994088	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide information spillage training	2d4d0e90-32d9-4deb-2166-a00d51ed57c0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide monitoring information as needed	7fc1f0da-0050-19bb-3d75-81ae15940df6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide periodic role-based security training	9ac8621d-9acd-55bf-9f99-ee4212cc3d85	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide periodic security awareness training	516be556-1353-080d-2c2f-f46f000d5785	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide privacy notice	098a7b84-1031-66d8-4e78-bd15b5fd2efb	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide privacy training	518eafdd-08e5-37a9-795b-15a8d798056d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide role-based security training	4c385143-09fd-3a34-790c-a5fd9ec77ddc	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide secure name and address resolution services	bbb2e6d6-085f-5a35-a55d-e45daad38933	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide security training before providing access	2b05dca2-25ec-9335-495c-29155f785082	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide security training for new users	1cb7bf71-841c-4741-438a-67c65fdd7194	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide timely maintenance support	eb598832-4bcc-658d-4381-3ecbe17b9866	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Provide updated security awareness training	d136ae80-54dd-321c-98b4-17acf4af2169	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Publish access procedures in SORNs	b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Publish rules and regulations accessing Privacy Act records	ad1d562b-a04b-15d3-6770-ed310b601cb5	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Reassign or remove user privileges as needed	7805a343-275c-41be-9d62-7215b96212d8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Reauthenticate or terminate a user session	d6653f89-7cb5-24a4-9d71-51581038231b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Record disclosures of PII to third parties	8b1da407-5e60-5037-612e-2caa1b590719	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Recover and reconstitute resources after any disruption	f33c3238-11d2-508c-877c-4262ec1132e1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Reevaluate access upon personnel transfer	e89436d8-6a93-3b62-4444-1d2a42ad56b2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Refresh authenticators	3ae68d9a-5696-8c32-62d3-c6f9c52e437c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Reissue authenticators for changed groups and accounts	2f204e72-1896-3bf8-75c9-9128b8683a36	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Remediate information system flaws	be38a620-000b-21cf-3cb3-ea151b704c3b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Report atypical behavior of user accounts	e4054c0e-1184-09e6-4c5e-701e0bc90f81	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require approval for account creation	de770ba6-50dd-a316-2932-e0d972eaa734	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require compliance with intellectual property rights	725164e5-3b21-1ec2-7e42-14f077862841	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require developers to build security architecture	f131c8c5-a54a-4888-1efc-158928924bc1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require developers to describe accurate security functionality	3e37c891-840c-3eb4-78d2-e2e0bb5063e0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require developers to document approved changes and potential impact	3a868d0c-538f-968b-0191-bddb44da5b75	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require developers to implement only approved changes	085467a6-9679-5c65-584a-f55acefd0d43	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require developers to manage change integrity	b33d61c1-7463-7025-0ec0-a47585b59147	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require developers to produce evidence of security assessment plan execution	f8a63511-66f1-503f-196d-d6217ee0823a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require developers to provide unified security protection approach	7a114735-a420-057d-a651-9a73cd0416ef	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require external service providers to comply with security requirements	4e45863d-9ea9-32b4-a204-2680bc6007a6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require interconnection security agreements	096a7055-30cb-2db4-3fda-41b20ac72667	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require notification of third-party personnel transfer or termination	afd5d60a-48d2-8073-1ec2-6687e22f2ddd	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require third-party providers to comply with personnel security policies and procedures	e8c31e15-642d-600f-78ab-bad47a5787e6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Require users to sign access agreement	3af53f59-979f-24a8-540f-d7cdbc366607	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Rescreen individuals at a defined frequency	c6aeb800-0b19-944d-92dc-59b893722329	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Restrict access to private keys	8d140e8b-76c7-77de-1d46-ed1b2e112444	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Restrict access to privileged accounts	873895e8-0e3a-6492-42e9-22cd030e9fcd	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Restrict communications	5020f3f4-a579-2f28-72a8-283c5a0b15f9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Restrict media use	6122970b-8d4a-7811-0278-4c6c68f61e4f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Resume all mission and business functions	91a54089-2d69-0f56-62dc-b6371a1671c0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Retain security policies and procedures	efef28d0-3226-966a-a1e8-70e89c1b30bc	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Retain terminated user data	7c7032fe-9ce6-9092-5890-87a1a3755db1	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Retain training records	3153d9c0-2584-14d3-362d-578b01358aeb	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Reveal error messages	20762f1e-85fb-31b0-a600-e833633f10fe	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review access control policies and procedures	03d550b4-34ee-03f4-515f-f2e2faf7a413	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review account provisioning logs	a830fe9e-08c9-a4fb-420c-6f6bf1702395	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review administrator assignments weekly	f27a298f-9443-014a-0d40-fef12adf0259	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and reevaluate privileges	585af6e9-90c0-4575-67a7-2f9548972e32	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and sign revised rules of behavior	6c0a312f-04c5-5c97-36a5-e56763a02b6b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update configuration management policies and procedures	eb8a8df9-521f-3ccd-7e2c-3d1fcc812340	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update contingency planning policies and procedures	e9c60c37-65b0-2d72-6c3c-af66036203ae	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update identification and authentication policies and procedures	29acfac0-4bb4-121b-8283-8943198b1549	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update incident response policies and procedures	b28c8687-4bbd-8614-0b96-cdffa1ac6d9c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update information integrity policies and procedures	6bededc0-2985-54d5-4158-eb8bad8070a0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update media protection policies and procedures	b4e19d22-8c0e-7cad-3219-c84c62dc250f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update personnel security policies and procedures	e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update physical and environmental policies and procedures	91cf132e-0c9f-37a8-a523-dc6a92cd2fb2	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update planning policies and procedures	28aa060e-25c7-6121-05d8-a846f11433df	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update risk assessment policies and procedures	20012034-96f0-85c2-4a86-1ae1eb457802	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update system and communications protection policies and procedures	adf517f3-6dcd-3546-9928-34777d0c277e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update system and services acquisition policies and procedures	f49925aa-9b11-76ae-10e2-6e973cc60f37	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update system maintenance policies and procedures	2067b904-9552-3259-0cdd-84468e284b7c	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update the events defined in AU-02	a930f477-9dcb-2113-8aa7-45bb6fc90861	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review and update the information security architecture	ced291b8-1d3d-7e27-40cf-829e9dd523c8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review audit data	6625638f-3ba1-7404-5983-0ea33d719d34	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review changes for any unauthorized changes	c246d146-82b0-301f-32e7-1065dcd248b7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review cloud identity report overview	8aec4343-9153-9641-172c-defb201f56b3	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review cloud service provider's compliance with policies and agreements	ffea18d9-13de-6505-37f3-4c1f88070ad7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review contingency plan	53fc1282-0ee3-2764-1319-e20143bb0ea5	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review controlled folder access events	f48b60c6-4b37-332f-7288-b6ea50d300eb	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review development process, standards and tools	1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review file and folder activity	ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review label activity and analytics	e23444b9-9662-40f3-289e-6d25c02b48fa	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review malware detections report weekly	4a6f5cbd-6c6b-006f-2bb1-091af1441bce	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review role group changes weekly	70fe686f-1f91-7dab-11bf-bca4201e183b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review security assessment and authorization policies and procedures	a4493012-908c-5f48-a468-1e243be884ce	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review the results of contingency plan testing	5d3abfea-a130-1208-29c0-e57de80aa6b0	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review threat protection status weekly	fad161f5-5261-401a-22dd-e037bae011bd	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review user accounts	79f081c7-1634-01a1-708e-376197999289	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review user groups and applications with access to sensitive data	eb1c944e-0e94-647b-9b7e-fdb8d2af0838	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Review user privileges	f96d2186-79df-262d-3f76-f371e3b71798	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Revoke privileged roles as appropriate	32f22cfa-770b-057c-965b-450898425519	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Route traffic through managed network access points	bab9ef1d-a16d-421a-822d-3fa94e808156	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Secure commitment from leadership	70057208-70cc-7b31-3c3a-121af6bc1966	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Secure the interface to external systems	ff1efad2-6b09-54cc-01bf-d386c4d558a8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Secure transfer to storage accounts should be enabled	404c3081-a854-4457-ae30-26a93ef643f9	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Select additional testing for security control assessments	f78fc35e-1268-0bca-a798-afcba9d2330a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Separate duties of individuals	60ee1260-97f0-61bb-8155-5d8b75743655	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Separate user and information system management functionality	8a703eb5-4e53-701b-67e4-05ba2f7930c8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Separately store backup information	fc26e2fd-3149-74b4-5988-d64bb90f8ef7	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign	617c02be-7f02-4efd-8836-3180d47b6c68	Service Fabric	Default Audit Allowed Audit, Deny, Disabled	0		GA
Service Fabric clusters should only use Azure Active Directory for client authentication	b54ed75b-3e1a-44ac-a333-05ba39b99ff0	Service Fabric	Default Audit Allowed Audit, Deny, Disabled	0		GA
Set automated notifications for new and trending cloud applications in your organization	af38215f-70c4-0cd6-40c2-c52d86690a45	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
SQL databases should have vulnerability findings resolved	feedbf84-6b99-488c-acc2-71c829aa5ffc	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Storage accounts should be migrated to new Azure Resource Manager resources	37e0d2fe-28a5-43d6-a273-67d37d1f5606	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Storage accounts should restrict network access	34c877ad-507e-4c82-993e-3452a6e0ad3c	Storage	Default Audit Allowed Audit, Deny, Disabled	0		GA
Support personal verification credentials issued by legal authorities	1d39b5d9-0392-8954-8359-575ce1957d1a	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
System updates should be installed on your machines	86b3d65f-7626-441e-b690-81a8b71cff60	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Terminate customer controlled account credentials	76d66b5c-85e4-93f5-96a5-ebb2fad61dc6	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Terminate user session automatically	4502e506-5f35-0df4-684f-b326e3cc7093	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Test the business continuity and disaster recovery plan	58a51cde-008b-1a5d-61b5-d95849770677	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
There should be more than one owner assigned to your subscription	09024ccc-0c5f-475e-9457-b7c0d9ed487b	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Track software license usage	77cc89bb-774f-48d7-8a84-fb8c322c3000	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Train personnel on disclosure of nonpublic information	97f0d974-1486-01e2-2088-b888f46c0589	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Train staff on PII sharing and its consequences	8019d788-713d-90a1-5570-dac5052f517d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Transfer backup information to an alternate storage site	7bdb79ea-16b8-453e-4ca4-ad5b16012414	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Transparent Data Encryption on SQL databases should be enabled	17k78e20-9358-41c9-923c-fb736d382a12	SQL	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA
Turn on sensors for endpoint security solution	5fc24b95-53f7-0ed1-2330-701b539b97fe	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Undergo independent security review	9b55929b-0101-47c0-a16e-d6ac5c7d21f8	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Update antivirus definitions	ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Update contingency plan	14a4fd0a-9100-1e12-1362-792014a28155	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Update information security policies	5226dee6-3420-711b-4709-8e675ebd828f	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Update interconnection security agreements	d48a6f19-a284-6fc6-0623-3367a74d3f50	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Update organizational access agreements	e21f91d1-2803-0282-5f2d-26ebc4b170ef	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Update POA&M items	cc057769-01d9-95ad-a36f-1e62a7f9540b	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Update privacy plan, policies, and procedures	96333008-988d-4add-549b-92b3a8c42063	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Update rules of behavior and access agreements	6610f662-37e9-2f71-65be-502bdc2f554d	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Update rules of behavior and access agreements every 3 years	7ad83b58-2042-085d-08f0-13e946f26f89	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Use dedicated machines for administrative tasks	b8972f60-8d77-1cb8-686f-9c9f4cdd8a59	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Use privileged identity management	e714b481-8fac-64a2-14a9-6f079b2501a4	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Use system clocks for audit records	1ee4c7eb-480a-0007-77ff-4ba370776266	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Verify identity before distributing authenticators	72889284-15d2-90b2-4b39-a1e9541e1152	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Verify personal data is deleted at the end of processing	c6b877a6-5d6d-1862-4b7f-3ccc30b25b63	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Verify security controls for external information systems	dc7ec756-221c-33c8-0afe-c48e10e42321	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
View and configure system diagnostic data	0123edae-3567-a05a-9b05-b53ebe9d3e7e	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
View and investigate restricted users	98145a9b-428a-7e81-9d14-ebb154a24f93	Regulatory Compliance	Default Manual Allowed Manual, Disabled	0		GA
Virtual machines should be migrated to new Azure Resource Manager resources	1d84d5fb-01f6-4d12-ba4f-4a26081d403d	Compute	Default Audit Allowed Audit, Deny, Disabled	0		GA
Vulnerabilities in security configuration on your machines should be remediated	e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15	Security Center	Default AuditIfNotExists Allowed AuditIfNotExists, Disabled	0		GA

Roles used

Total Roles usage: 4
Total Roles unique usage: 1

Role	Role Id	Policies count	Policies
Contributor	b24988ac-6180-42a0-ab88-20f7382dd24c	4	Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

History

Date/Time (UTC ymd) (i)	Changes
2024-06-06 18:16:34	Version change: '8.1.0' to '8.2.0' remove Policy [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources (0961003e-5a0a-4549-abde-af6a37f2724d)
2023-05-04 17:45:12	add Policy Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a) add Policy Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4) add Policy Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046) add Policy Guest accounts with write permissions on Azure resources should be removed (94e1c2ac-cbbe-4cac-a2b5-389c812dee87) add Policy Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52) add Policy Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5) add Policy Blocked accounts with read and write permissions on Azure resources should be removed (8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) Version change: '8.0.0' to '8.1.0' remove Policy [Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad) remove Policy [Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed) remove Policy [Deprecated]: External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9) remove Policy [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3) remove Policy [Deprecated]: MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64) remove Policy [Deprecated]: Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474) remove Policy [Deprecated]: External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4)
2022-09-27 16:35:21	add Policy Review and update contingency planning policies and procedures (e9c60c37-65b0-2d72-6c3c-af66036203ae) add Policy Install an alarm system (aa0ddd99-43eb-302d-3f8f-42b499182960) add Policy Automate account management (2cc9c165-46bd-9762-5739-d2aae5ba90a1) add Policy Retain training records (3153d9c0-2584-14d3-362d-578b01358aeb) add Policy Implement personnel screening (e0c480bf-0d68-a42d-4cbb-b60f851f8716) add Policy Establish procedures for initial authenticator distribution (35963d41-4263-0ef9-98d5-70eb058f9e3c) add Policy Document and implement privacy complaint procedures (eab4450d-9e5c-4f38-0656-2ff8c78c83f3) add Policy Provide monitoring information as needed (7fc1f0da-0050-19bb-3d75-81ae15940df6) add Policy Enforce and audit access restrictions (8cd815bf-97e1-5144-0735-11f6ddb50a59) add Policy Review security assessment and authorization policies and procedures (a4493012-908c-5f48-a468-1e243be884ce) add Policy Assess information security events (37b0045b-3887-367b-8b4d-b9a6fa911bb9) add Policy Control use of portable storage devices (36b74844-4a99-4c80-1800-b18a516d1585) add Policy Establish conditions for role membership (97cfd944-6f0c-7db2-3796-8e890ef70819) add Policy Use dedicated machines for administrative tasks (b8972f60-8d77-1cb8-686f-9c9f4cdd8a59) add Policy Establish a data leakage management procedure (3c9aa856-6b86-35dc-83f4-bc72cec74dea) add Policy Review user accounts (79f081c7-1634-01a1-708e-376197999289) add Policy Produce complete records of remote maintenance activities (74041cfe-3f87-1d17-79ec-34ca5f895542) add Policy Document third-party personnel security requirements (b320aa42-33b4-53af-87ce-100091d48918) add Policy Review user groups and applications with access to sensitive data (eb1c944e-0e94-647b-9b7e-fdb8d2af0838) add Policy Update antivirus definitions (ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65) add Policy Manage symmetric cryptographic keys (9c276cf3-596f-581a-7fbd-f5e46edaa0f4) add Policy Employ a media sanitization mechanism (eaaae23f-92c9-4460-51cf-913feaea4d52) add Policy Provide role-based security training (4c385143-09fd-3a34-790c-a5fd9ec77ddc) add Policy Identify and authenticate network devices (ae5345d5-8dab-086a-7290-db43a3272198) add Policy Define cryptographic use (c4ccd607-702b-8ae6-8eeb-fc3339cd4b42) add Policy Review role group changes weekly (70fe686f-1f91-7dab-11bf-bca4201e183b) add Policy Identify and authenticate non-organizational users (e1379836-3492-6395-451d-2f5062e14136) add Policy Review threat protection status weekly (fad161f5-5261-401a-22dd-e037bae011bd) add Policy Develop an incident response plan (2b4e134f-1e4c-2bff-573e-082d85479b6e) add Policy Establish information security workforce development and improvement program (b544f797-a73b-1be3-6d01-6b1a085376bc) add Policy Require external service providers to comply with security requirements (4e45863d-9ea9-32b4-a204-2680bc6007a6) add Policy Establish electronic signature and certificate requirements (6f3866e8-6e12-69cf-788c-809d426094a1) add Policy Notify personnel upon sanctions (6228396e-2ace-7ca5-3247-45767dbf52f4) add Policy Provide information spillage training (2d4d0e90-32d9-4deb-2166-a00d51ed57c0) add Policy Develop and document a business continuity and disaster recovery plan (bd6cbcba-4a2d-507c-53e3-296b5c238a8e) add Policy Require developers to manage change integrity (b33d61c1-7463-7025-0ec0-a47585b59147) add Policy Execute actions in response to information spills (ba78efc6-795c-64f4-7a02-91effbd34af9) add Policy Establish and document change control processes (bd4dc286-2f30-5b95-777c-681f3a7913d3) add Policy Limit privileges to make changes in production environment (2af551d5-1775-326a-0589-590bfb7e9eb2) add Policy Document security assurance requirements in acquisition contracts (13efd2d7-3980-a2a4-39d0-527180c009e8) add Policy Develop contingency planning policies and procedures (75b42dcf-7840-1271-260b-852273d7906e) add Policy Issue public key certificates (97d91b33-7050-237b-3e23-a77d57d84e13) add Policy Implement physical security for offices, working areas, and secure areas (05ec66a2-137c-14b8-8e75-3d7a2bef07f8) add Policy Employ independent assessors to conduct security control assessments (b65c5d8e-9043-9612-2c17-65f231d763bb) add Policy Authenticate to cryptographic module (6f1de470-79f3-1572-866e-db0771352fc8) add Policy Restrict access to privileged accounts (873895e8-0e3a-6492-42e9-22cd030e9fcd) add Policy Implement controls to secure alternate work sites (cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e) add Policy Disseminate security alerts to personnel (9c93ef57-7000-63fb-9b74-88f2e17ca5d2) add Policy Provide privacy training (518eafdd-08e5-37a9-795b-15a8d798056d) add Policy Conduct risk assessment and distribute its results (d7c1ecc3-2980-a079-1569-91aec8ac4a77) add Policy Require developers to provide unified security protection approach (7a114735-a420-057d-a651-9a73cd0416ef) add Policy Establish a secure software development program (e750ca06-1824-464a-2cf3-d0fa754d1cb4) add Policy Provide timely maintenance support (eb598832-4bcc-658d-4381-3ecbe17b9866) add Policy Review and update incident response policies and procedures (b28c8687-4bbd-8614-0b96-cdffa1ac6d9c) add Policy Perform audit for configuration change control (1282809c-9001-176b-4a81-260a085f4872) add Policy Establish authenticator types and processes (921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0) add Policy Document security operations (2c6bee3a-2180-2430-440d-db3c7a849870) add Policy Obtain consent prior to collection or processing of personal data (069101ac-4578-31da-0cd4-ff083edd3eb4) add Policy Document the information system environment in acquisition contracts (c148208b-1a6f-a4ac-7abc-23b1d41121b1) add Policy Prohibit unfair practices (5fe84a4c-1b0c-a738-2aba-ed49c9069d3b) add Policy Define requirements for supplying goods and services (2b2f3a72-9e68-3993-2b69-13dcdecf8958) add Policy Authorize and manage access (50e9324a-7410-0539-0662-2c1e775538b7) add Policy Secure commitment from leadership (70057208-70cc-7b31-3c3a-121af6bc1966) add Policy Enable dual or joint authorization (2c843d78-8f64-92b5-6a9b-e8186c0e7eb6) add Policy Manage the transportation of assets (4ac81669-00e2-9790-8648-71bc11bc91eb) add Policy Control maintenance and repair activities (b6ad009f-5c24-1dc0-a25e-74b60e4da45f) add Policy Monitor security and privacy training completion (82bd024a-5c99-05d6-96ff-01f539676a1a) add Policy Establish terms and conditions for accessing resources (3c93dba1-84fd-57de-33c7-ef0400a08134) add Policy Require notification of third-party personnel transfer or termination (afd5d60a-48d2-8073-1ec2-6687e22f2ddd) add Policy Develop information security policies and procedures (af227964-5b8b-22a2-9364-06d2cb9d6d7c) add Policy Authorize remote access (dad8a2e9-6f27-4fc2-8933-7e99fe700c9c) add Policy Define requirements for managing assets (25a1f840-65d0-900a-43e4-bee253de04de) add Policy Automate process to prohibit implementation of unapproved changes (7d10debd-4775-85a7-1a41-7e128e0e8c50) add Policy Reauthenticate or terminate a user session (d6653f89-7cb5-24a4-9d71-51581038231b) add Policy Configure detection whitelist (2927e340-60e4-43ad-6b5f-7a1468232cc2) add Policy Publish rules and regulations accessing Privacy Act records (ad1d562b-a04b-15d3-6770-ed310b601cb5) add Policy Restrict communications (5020f3f4-a579-2f28-72a8-283c5a0b15f9) add Policy Establish backup policies and procedures (4f23967c-a74b-9a09-9dc2-f566f61a87b9) add Policy Monitor privileged role assignment (ed87d27a-9abf-7c71-714c-61d881889da4) add Policy Designate individuals to fulfill specific roles and responsibilities (8b077bff-516f-3983-6c42-c86e9a11868b) add Policy Obtain Admin documentation (3f1216b0-30ee-1ac9-3899-63eb744e85f5) add Policy Review and update personnel security policies and procedures (e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9) add Policy Develop acceptable use policies and procedures (42116f15-5665-a52a-87bb-b40e64c74b6c) add Policy Establish third-party personnel security requirements (3881168c-5d38-6f04-61cc-b5d87b2c4c58) add Policy Require approval for account creation (de770ba6-50dd-a316-2932-e0d972eaa734) add Policy Develop and establish a system security plan (b2ea1058-8998-3dd1-84f1-82132ad482fd) add Policy Develop business classification schemes (11ba0508-58a8-44de-5f3a-9e05d80571da) add Policy Retain security policies and procedures (efef28d0-3226-966a-a1e8-70e89c1b30bc) add Policy Integrate cloud app security with a siem (9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9) add Policy Notify upon termination or transfer (c79d378a-2521-822a-0407-57454f8d2c74) add Policy Review and update information integrity policies and procedures (6bededc0-2985-54d5-4158-eb8bad8070a0) add Policy Information flow control using security policy filters (13ef3484-3a51-785a-9c96-500f21f84edd) add Policy Review controlled folder access events (f48b60c6-4b37-332f-7288-b6ea50d300eb) add Policy Audit privileged functions (f26af0b1-65b6-689a-a03f-352ad2d00f98) add Policy Prohibit remote activation of collaborative computing devices (678ca228-042d-6d8e-a598-c58d5670437d) add Policy Train personnel on disclosure of nonpublic information (97f0d974-1486-01e2-2088-b888f46c0589) add Policy Determine auditable events (2f67e567-03db-9d1f-67dc-b6ffb91312f4) add Policy Establish and maintain an asset inventory (27965e62-141f-8cca-426f-d09514ee5216) add Policy Prevent identifier reuse for the defined time period (4781e5fd-76b8-7d34-6df3-a0a7fca47665) add Policy Protect special information (a315c657-4a00-8eba-15ac-44692ad24423) add Policy Conduct exit interview upon termination (496b407d-9b9e-81e8-4ba4-44bc686b016a) add Policy Employ flow control mechanisms of encrypted information (79365f13-8ba4-1f6c-2ac4-aa39929f56d0) add Policy Review cloud service provider's compliance with policies and agreements (ffea18d9-13de-6505-37f3-4c1f88070ad7) add Policy Determine supplier contract obligations (67ada943-8539-083d-35d0-7af648974125) add Policy Ensure alternate storage site safeguards are equivalent to primary site (178c8b7e-1b6e-4289-44dd-2f1526b678a1) add Policy Document security and privacy training activities (524e7136-9f6a-75ba-9089-501018151346) add Policy Recover and reconstitute resources after any disruption (f33c3238-11d2-508c-877c-4262ec1132e1) add Policy Review and update planning policies and procedures (28aa060e-25c7-6121-05d8-a846f11433df) add Policy Review and update media protection policies and procedures (b4e19d22-8c0e-7cad-3219-c84c62dc250f) add Policy Document remote access guidelines (3d492600-27ba-62cc-a1c3-66eb919f6a0d) add Policy Integrate risk management process into SDLC (00f12b6f-10d7-8117-9577-0f2b76488385) add Policy Select additional testing for security control assessments (f78fc35e-1268-0bca-a798-afcba9d2330a) add Policy Provide secure name and address resolution services (bbb2e6d6-085f-5a35-a55d-e45daad38933) add Policy Develop and maintain baseline configurations (2f20840e-7925-221c-725d-757442753e7c) add Policy Establish a threat intelligence program (b0e3035d-6366-2e37-796e-8bcab9c649e6) add Policy Automate remote maintenance activities (b8587fce-138f-86e8-33a3-c60768bf1da6) add Policy Automate implementation of approved change notifications (c72fc0c8-2df8-7506-30be-6ba1971747e1) add Policy Employ automated training environment (c8aa992d-76b7-7ca0-07b3-31a58d773fa9) add Policy Maintain records of processing of personal data (92ede480-154e-0e22-4dca-8b46a74a3a51) add Policy Explicitly notify use of collaborative computing devices (62fa14f0-4cbe-762d-5469-0899a99b98aa) add Policy Not allow for information systems to accompany with individuals (41172402-8d73-64c7-0921-909083c086b0) add Policy Monitor access across the organization (48c816c5-2190-61fc-8806-25d6f3df162f) add Policy Correlate audit records (10874318-0bf7-a41f-8463-03e395482080) add Policy Document security functional requirements in acquisition contracts (57927290-8000-59bf-3776-90c468ac5b4b) add Policy Establish a discrete line item in budgeting documentation (06af77de-02ca-0f3e-838a-a9420fe466f5) add Policy Perform a privacy impact assessment (d18af1ac-0086-4762-6dc8-87cdded90e39) add Policy Check for privacy and security compliance before establishing internal connections (ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab) add Policy Designate authorized personnel to post publicly accessible information (b4512986-80f5-1656-0c58-08866bd2673a) add Policy Protect against and prevent data theft from departing employees (80a97208-264e-79da-0cc7-4fca179a0c9c) add Policy Initiate transfer or reassignment actions (b8a9bb2f-7290-3259-85ce-dca7d521302d) add Policy Plan for resumption of essential business functions (7ded6497-815d-6506-242b-e043e0273928) add Policy Implement managed interface for each external service (b262e1dd-08e9-41d4-963a-258909ad794b) add Policy Review cloud identity report overview (8aec4343-9153-9641-172c-defb201f56b3) add Policy Review access control policies and procedures (03d550b4-34ee-03f4-515f-f2e2faf7a413) add Policy Refresh authenticators (3ae68d9a-5696-8c32-62d3-c6f9c52e437c) add Policy Manage compliance activities (4e400494-53a5-5147-6f4d-718b539c7394) add Policy Establish a privacy program (39eb03c1-97cc-11ab-0960-6209ed2869f7) add Policy Govern compliance of cloud service providers (5c33538e-02f8-0a7f-998b-a4c1e22076d3) add Policy Implement training for protecting authenticators (e4b00788-7e1c-33ec-0418-d048508e095b) add Policy Establish a password policy (d8bbd80e-3bb1-5983-06c2-428526ec6a63) add Policy Align business objectives and IT goals (ab02bb73-4ce1-89dd-3905-d93042809ba0) add Policy Implement security directives (26d178a4-9261-6f04-a100-47ed85314c6e) add Policy Review and update configuration management policies and procedures (eb8a8df9-521f-3ccd-7e2c-3d1fcc812340) add Policy Establish security requirements for the manufacturing of connected devices (afbecd30-37ee-a27b-8e09-6ac49951a0ee) add Policy Identify external service providers (46ab2c5e-6654-1f58-8c83-e97a44f39308) add Policy Route traffic through managed network access points (bab9ef1d-a16d-421a-822d-3fa94e808156) add Policy Update interconnection security agreements (d48a6f19-a284-6fc6-0623-3367a74d3f50) add Policy Provide privacy notice (098a7b84-1031-66d8-4e78-bd15b5fd2efb) add Policy Manage system and admin accounts (34d38ea7-6754-1838-7031-d7fd07099821) add Policy Adopt biometric authentication mechanisms (7d7a8356-5c34-9a95-3118-1424cfaf192a) add Policy Conduct capacity planning (33602e78-35e3-4f06-17fb-13dd887448e4) add Policy Undergo independent security review (9b55929b-0101-47c0-a16e-d6ac5c7d21f8) add Policy Distribute information system documentation (84a01872-5318-049e-061e-d56734183e84) add Policy Identify individuals with security roles and responsibilities (0dcbaf2f-075e-947b-8f4c-74ecc5cd302c) add Policy Reevaluate access upon personnel transfer (e89436d8-6a93-3b62-4444-1d2a42ad56b2) add Policy Protect incident response plan (2401b496-7f23-79b2-9f80-89bb5abf3d4a) add Policy Review the results of contingency plan testing (5d3abfea-a130-1208-29c0-e57de80aa6b0) add Policy Manage maintenance personnel (b273f1e3-79e7-13ee-5b5d-dca6c66c3d5d) add Policy Implement an automated configuration management tool (33832848-42ab-63f3-1a55-c0ad309d44cd) add Policy Determine assertion requirements (7a0ecd94-3699-5273-76a5-edb8499f655a) add Policy Incorporate flaw remediation into configuration management (34aac8b2-488a-2b96-7280-5b9b481a317a) add Policy Establish alternate storage site to store and retrieve backup information (0a412110-3874-9f22-187a-c7a81c8a6704) add Policy Provide periodic role-based security training (9ac8621d-9acd-55bf-9f99-ee4212cc3d85) add Policy Create a data inventory (043c1e56-5a16-52f8-6af8-583098ff3e60) add Policy Implement transaction based recovery (ba02d0a0-566a-25dc-73f1-101c726a19c5) add Policy Develop security assessment plan (1c258345-5cd4-30c8-9ef3-5ee4dd5231d6) add Policy Review and update identification and authentication policies and procedures (29acfac0-4bb4-121b-8283-8943198b1549) add Policy Require developers to produce evidence of security assessment plan execution (f8a63511-66f1-503f-196d-d6217ee0823a) add Policy Incorporate security and data privacy practices in research processing (834b7a4a-83ab-2188-1a26-9c5033d8173b) add Policy Publish access procedures in SORNs (b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51) add Policy Obtain legal opinion for monitoring system activities (d9af7f88-686a-5a8b-704b-eafdab278977) add Policy Update privacy plan, policies, and procedures (96333008-988d-4add-549b-92b3a8c42063) add Policy Implement plans of action and milestones for security program process (d93fe1be-13e4-421d-9c21-3158e2fa2667) add Policy Modify access authorizations upon personnel transfer (979ed3b6-83f9-26bc-4b86-5b05464700bf) add Policy Document personnel acceptance of privacy requirements (271a3e58-1b38-933d-74c9-a580006b80aa) add Policy Employ boundary protection to isolate information systems (311802f9-098d-0659-245a-94c5d47c0182) add Policy Provide updated security awareness training (d136ae80-54dd-321c-98b4-17acf4af2169) add Policy Implement the risk management strategy (c6fe3856-4635-36b6-983c-070da12a953b) add Policy Define performance metrics (39999038-9ef1-602a-158c-ce2367185230) add Policy Protect data in transit using encryption (b11697e8-9515-16f1-7a35-477d5c8a1344) add Policy Ensure there are no unencrypted static authenticators (eda0cbb7-6043-05bf-645b-67411f1a59b3) add Policy Audit user account status (49c23d9b-02b0-0e42-4f94-e8cef1b8381b) add Policy Test the business continuity and disaster recovery plan (58a51cde-008b-1a5d-61b5-d95849770677) add Policy Use privileged identity management (e714b481-8fac-64a2-14a9-6f079b2501a4) add Policy Update rules of behavior and access agreements (6610f662-37e9-2f71-65be-502bdc2f554d) add Policy Reveal error messages (20762f1e-85fb-31b0-a600-e833633f10fe) add Policy Manage security state of information systems (6baae474-434f-2e91-7163-a72df30c4847) add Policy Develop SSP that meets criteria (6b957f60-54cd-5752-44d5-ff5a64366c93) add Policy Disable authenticators upon termination (d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10) add Policy Reissue authenticators for changed groups and accounts (2f204e72-1896-3bf8-75c9-9128b8683a36) add Policy Enforce user uniqueness (e336d5f4-4d8f-0059-759c-ae10f63d1747) add Policy Compile Audit records into system wide audit (214ea241-010d-8926-44cc-b90a96d52adc) add Policy Monitor account activity (7b28ba4f-0a87-46ac-62e1-46b7c09202a8) add Policy Provide security training for new users (1cb7bf71-841c-4741-438a-67c65fdd7194) add Policy Review user privileges (f96d2186-79df-262d-3f76-f371e3b71798) add Policy Document access privileges (a08b18c7-9e0a-89f1-3696-d80902196719) add Policy Review changes for any unauthorized changes (c246d146-82b0-301f-32e7-1065dcd248b7) add Policy Review and sign revised rules of behavior (6c0a312f-04c5-5c97-36a5-e56763a02b6b) add Policy Implement formal sanctions process (5decc032-95bd-2163-9549-a41aba83228e) add Policy Configure workstations to check for digital certificates (26daf649-22d1-97e9-2a8a-01b182194d59) add Policy Employ business case to record the resources required (2d14ff7e-6ff9-838c-0cde-4962ccdb1689) add Policy Document the protection of cardholder data in third party contracts (77acc53d-0f67-6e06-7d04-5750653d4629) add Policy Identify actions allowed without authentication (92a7591f-73b3-1173-a09c-a08882d84c70) add Policy Configure Azure Audit capabilities (a3e98638-51d4-4e28-910a-60e98c1a756f) add Policy Develop a concept of operations (CONOPS) (e7422f08-65b4-50e4-3779-d793156e0079) add Policy Adjust level of audit review, analysis, and reporting (de251b09-4a5e-1204-4bef-62ac58d47999) add Policy Protect wireless access (d42a8f69-a193-6cbc-48b9-04a9e29961f1) add Policy Generate error messages (c2cb4658-44dc-9d11-3dad-7c6802dd5ba3) add Policy Establish an alternate processing site (af5ff768-a34b-720e-1224-e6b3214f3ba6) add Policy Review development process, standards and tools (1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6) add Policy Require developers to document approved changes and potential impact (3a868d0c-538f-968b-0191-bddb44da5b75) add Policy Update POA&M items (cc057769-01d9-95ad-a36f-1e62a7f9540b) add Policy Document mobility training (83dfb2b8-678b-20a0-4c44-5c75ada023e6) add Policy Identify and mitigate potential issues at alternate storage site (13939f8c-4cd5-a6db-9af4-9dfec35e3722) add Policy Establish policies for supply chain risk management (9150259b-617b-596d-3bf5-5ca3fce20335) add Policy Allocate resources in determining information system requirements (90a156a6-49ed-18d1-1052-69aac27c05cd) add Policy Provide contingency training (de936662-13dc-204c-75ec-1af80f994088) add Policy Require developers to build security architecture (f131c8c5-a54a-4888-1efc-158928924bc1) add Policy Enforce rules of behavior and access agreements (509552f5-6528-3540-7959-fbeae4832533) add Policy Require interconnection security agreements (096a7055-30cb-2db4-3fda-41b20ac72667) add Policy Perform disposition review (b5a4be05-3997-1731-3260-98be653610f6) add Policy Develop access control policies and procedures (59f7feff-02aa-6539-2cf7-bea75b762140) add Policy Initiate contingency plan testing corrective actions (8bfdbaa6-6824-3fec-9b06-7961bf7389a6) add Policy Resume all mission and business functions (91a54089-2d69-0f56-62dc-b6371a1671c0) add Policy Define and document government oversight (cbfa1bd0-714d-8d6f-0480-2ad6a53972df) add Policy Deliver security assessment results (8e49107c-3338-40d1-02aa-d524178a2afe) add Policy Produce, control and distribute asymmetric cryptographic keys (de077e7e-0cc8-65a6-6e08-9ab46c827b05) add Policy Enable network protection (8c255136-994b-9616-79f5-ae87810e0dcf) add Policy Categorize information (93fa357f-2e38-22a9-5138-8cc5124e1923) add Policy View and investigate restricted users (98145a9b-428a-7e81-9d14-ebb154a24f93) add Policy Document and distribute a privacy policy (ee67c031-57fc-53d0-0cca-96c4c04345e8) add Policy Ensure access agreements are signed or resigned timely (e7589f4e-1e8b-72c2-3692-1e14d7f3699f) add Policy Document security strength requirements in acquisition contracts (ebb0ba89-6d8c-84a7-252b-7393881e43de) add Policy Verify identity before distributing authenticators (72889284-15d2-90b2-4b39-a1e9541e1152) add Policy Enforce logical access (10c4210b-3ec9-9603-050d-77e4d26c7ebb) add Policy Perform a risk assessment (8c5d3d8d-5cba-0def-257c-5ab9ea9644dc) add Policy Perform a trend analysis on threats (50e81644-923d-33fc-6ebb-9733bc8d1a06) add Policy Obtain user security function documentation (be1c34ab-295a-07a6-785c-36f63c1d223e) add Policy Document protection of security information in acquisition contracts (d78f95ba-870a-a500-6104-8a5ce2534f19) add Policy Require users to sign access agreement (3af53f59-979f-24a8-540f-d7cdbc366607) add Policy Document customer-defined actions (8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb) add Policy Conduct Risk Assessment (677e1da4-00c3-287a-563d-f4a1cf9b99a0) add Policy Employ least privilege access (1bc7fd64-291f-028e-4ed6-6e07886e163f) add Policy Block untrusted and unsigned processes that run from USB (3d399cf3-8fc6-0efc-6ab0-1412f1198517) add Policy Implement security engineering principles of information systems (df2e9507-169b-4114-3a52-877561ee3198) add Policy Automate proposed documented changes (5c40f27b-6791-18c5-3f85-7b863bd99c11) add Policy Perform vulnerability scans (3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f) add Policy Terminate customer controlled account credentials (76d66b5c-85e4-93f5-96a5-ebb2fad61dc6) add Policy Implement methods for consumer requests (b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e) add Policy Update rules of behavior and access agreements every 3 years (7ad83b58-2042-085d-08f0-13e946f26f89) add Policy Conduct backup of information system documentation (b269a749-705e-8bff-055a-147744675cdf) add Policy Develop configuration item identification plan (836f8406-3b8a-11bb-12cb-6c7fa0765668) add Policy Develop contingency plan (aa305b4d-8c84-1754-0c74-dec004e66be0) add Policy Review and update the events defined in AU-02 (a930f477-9dcb-2113-8aa7-45bb6fc90861) add Policy Terminate user session automatically (4502e506-5f35-0df4-684f-b326e3cc7093) add Policy Develop POA&M (477bd136-7dd9-55f8-48ac-bae096b86a07) add Policy Govern policies and procedures (1a2a03a4-9992-5788-5953-d8f6615306de) add Policy Manage contacts for authorities and special interest groups (5269d7e4-3768-501d-7e46-66c56c15622c) add Policy Provide security training before providing access (2b05dca2-25ec-9335-495c-29155f785082) add Policy Develop configuration management plan (04837a26-2601-1982-3da7-bf463e6408f4) add Policy Update information security policies (5226dee6-3420-711b-4709-8e675ebd828f) add Policy Conduct a security impact analysis (203101f5-99a3-1491-1b56-acccd9b66a9e) add Policy Authorize, monitor, and control voip (e4e1f896-8a93-1151-43c7-0ad23b081ee2) add Policy Automate approval request for proposed changes (575ed5e8-4c29-99d0-0e4d-689fb1d29827) add Policy Assign account managers (4c6df5ff-4ef2-4f17-a516-0da9189c603b) add Policy Govern the allocation of resources (33d34fac-56a8-1c0f-0636-3ed94892a709) add Policy Ensure information system fails in known state (12af7c7a-92af-9e96-0d0c-5e732d1a3751) add Policy Verify security controls for external information systems (dc7ec756-221c-33c8-0afe-c48e10e42321) add Policy Require third-party providers to comply with personnel security policies and procedures (e8c31e15-642d-600f-78ab-bad47a5787e6) add Policy Ensure security safeguards not needed when the individuals return (1fdf0b24-4043-3c55-357e-036985d50b52) add Policy Establish requirements for internet service providers (5f2e834d-7e40-a4d5-a216-e49b16955ccf) add Policy Turn on sensors for endpoint security solution (5fc24b95-53f7-0ed1-2330-701b539b97fe) add Policy Manage gateways (63f63e71-6c3f-9add-4c43-64de23e554a7) add Policy Review and reevaluate privileges (585af6e9-90c0-4575-67a7-2f9548972e32) add Policy Support personal verification credentials issued by legal authorities (1d39b5d9-0392-8954-8359-575ce1957d1a) add Policy Create separate alternate and primary storage sites (81b6267b-97a7-9aa5-51ee-d2584a160424) add Policy Review and update the information security architecture (ced291b8-1d3d-7e27-40cf-829e9dd523c8) add Policy Govern and monitor audit processing activities (333b4ada-4a02-0648-3d4d-d812974f1bb2) add Policy Track software license usage (77cc89bb-774f-48d7-8a84-fb8c322c3000) add Policy Generate internal security alerts (171e377b-5224-4a97-1eaa-62a3b5231dac) add Policy Restrict media use (6122970b-8d4a-7811-0278-4c6c68f61e4f) add Policy Document security documentation requirements in acquisition contract (a465e8e9-0095-85cb-a05f-1dd4960d02af) add Policy Conduct a full text analysis of logged privileged commands (8eea8c14-4d93-63a3-0c82-000343ee5204) add Policy Revoke privileged roles as appropriate (32f22cfa-770b-057c-965b-450898425519) add Policy Manage nonlocal maintenance and diagnostic activities (1fb1cb0e-1936-6f32-42fd-89970b535855) add Policy Address coding vulnerabilities (318b2bd9-9c39-9f8b-46a7-048401f33476) add Policy Ensure resources are authorized (0716f0f5-4955-2ccb-8d5e-c6be14d57c0f) add Policy Enforce a limit of consecutive failed login attempts (b4409bff-2287-8407-05fd-c73175a68302) add Policy Enforce security configuration settings (058e9719-1ff9-3653-4230-23f76b6492e0) add Policy Document protection of personal data in acquisition contracts (f9ec3263-9562-1768-65a1-729793635a8d) add Policy Review and update risk assessment policies and procedures (20012034-96f0-85c2-4a86-1ae1eb457802) add Policy Review and update system maintenance policies and procedures (2067b904-9552-3259-0cdd-84468e284b7c) add Policy Produce Security Assessment report (70a7a065-a060-85f8-7863-eb7850ed2af9) add Policy Require developers to implement only approved changes (085467a6-9679-5c65-584a-f55acefd0d43) add Policy Employ independent team for penetration testing (611ebc63-8600-50b6-a0e3-fef272457132) add Policy Review and update physical and environmental policies and procedures (91cf132e-0c9f-37a8-a523-dc6a92cd2fb2) add Policy Protect the information security program plan (2e7a98c9-219f-0d58-38dc-d69038224442) add Policy Review and update system and communications protection policies and procedures (adf517f3-6dcd-3546-9928-34777d0c277e) add Policy Provide periodic security awareness training (516be556-1353-080d-2c2f-f46f000d5785) add Policy Use system clocks for audit records (1ee4c7eb-480a-0007-77ff-4ba370776266) add Policy Employ automatic emergency lighting (aa892c0d-2c40-200c-0dd8-eac8c4748ede) add Policy Maintain incident response plan (37546841-8ea1-5be0-214d-8ac599588332) add Policy Develop security safeguards (423f6d9c-0c73-9cc6-64f4-b52242490368) add Policy Rescreen individuals at a defined frequency (c6aeb800-0b19-944d-92dc-59b893722329) add Policy Plan for continuance of essential business functions (d9edcea6-6cb8-0266-a48c-2061fbac4310) add Policy Automate process to document implemented changes (43ac3ccb-4ef6-7d63-9a3f-6848485ba4e8) add Policy Document the legal basis for processing personal information (79c75b38-334b-1a69-65e0-a9d929a42f75) add Policy Ensure security categorization is approved (6c79c3e5-5f7b-a48a-5c7b-8c158bc01115) add Policy View and configure system diagnostic data (0123edae-3567-a05a-9b05-b53ebe9d3e7e) add Policy Define the duties of processors (52375c01-4d4c-7acc-3aa4-5b3d53a047ec) add Policy Report atypical behavior of user accounts (e4054c0e-1184-09e6-4c5e-701e0bc90f81) add Policy Notify users of system logon or access (fe2dff43-0a8c-95df-0432-cb1c794b17d0) add Policy Control information flow (59bedbdc-0ba9-39b9-66bb-1d1c192384e6) add Policy Review account provisioning logs (a830fe9e-08c9-a4fb-420c-6f6bf1702395) add Policy Establish a risk management strategy (d36700f2-2f0d-7c2a-059c-bdadd1d79f70) add Policy Appoint a senior information security officer (c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928) add Policy Assign system identifiers (f29b17a4-0df2-8a50-058a-8570f9979d28) add Policy Review and update system and services acquisition policies and procedures (f49925aa-9b11-76ae-10e2-6e973cc60f37) add Policy Maintain list of authorized remote maintenance personnel (4ce91e4e-6dab-3c46-011a-aa14ae1561bf) add Policy Perform information input validation (8b1f29eb-1b22-4217-5337-9207cb55231e) add Policy Reassign or remove user privileges as needed (7805a343-275c-41be-9d62-7215b96212d8) add Policy Define information system account types (623b5f0a-8cbd-03a6-4892-201d27302f0c) add Policy Adhere to retention periods defined (1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1) add Policy Identify and manage downstream information exchanges (c7fddb0e-3f44-8635-2b35-dc6b8e740b7c) add Policy Protect passwords with encryption (b2d3e5a2-97ab-5497-565a-71172a729d93) add Policy Implement system boundary protection (01ae60e2-38bb-0a32-7b20-d3a091423409) add Policy Define organizational requirements for cryptographic key management (d661e9eb-4e15-5ba1-6f02-cdc467db0d6c) add Policy Separate user and information system management functionality (8a703eb5-4e53-701b-67e4-05ba2f7930c8) add Policy Transfer backup information to an alternate storage site (7bdb79ea-16b8-453e-4ca4-ad5b16012414) add Policy Establish terms and conditions for processing resources (5715bf33-a5bd-1084-4e19-bc3c83ec1c35) add Policy Discover any indicators of compromise (07b42fb5-027e-5a3c-4915-9d9ef3020ec7) add Policy Alert personnel of information spillage (9622aaa9-5c49-40e2-5bf8-660b7cd23deb) add Policy Define mobile device requirements (9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4) add Policy Update organizational access agreements (e21f91d1-2803-0282-5f2d-26ebc4b170ef) add Policy Implement parameters for memorized secret verifiers (3b30aa25-0f19-6c04-5ca4-bd3f880a763d) add Policy Document separation of duties (e6f7b584-877a-0d69-77d4-ab8b923a9650) add Policy Define access authorizations to support separation of duties (341bc9f1-7489-07d9-4ec6-971573e1546a) add Policy Review contingency plan (53fc1282-0ee3-2764-1319-e20143bb0ea5) add Policy Notify Account Managers of customer controlled accounts (4b8fd5da-609b-33bf-9724-1c946285a14c) add Policy Implement a fault tolerant name/address service (ced727b3-005e-3c5b-5cd5-230b79d56ee8) add Policy Automate process to highlight unreviewed change proposals (92b49e92-570f-1765-804a-378e6c592e28) add Policy Implement controls to secure all media (e435f7e3-0dd9-58c9-451f-9b44b96c0232) add Policy Protect administrator and user documentation (09960521-759e-5d12-086f-4192a72a5e92) add Policy Verify personal data is deleted at the end of processing (c6b877a6-5d6d-1862-4b7f-3ccc30b25b63) add Policy Manage authenticator lifetime and reuse (29363ae1-68cd-01ca-799d-92c9197c8404) add Policy Ensure capital planning and investment requests include necessary resources (464a7d7a-2358-4869-0b49-6d582ca21292) add Policy Communicate contingency plan changes (a1334a65-2622-28ee-5067-9d7f5b915cc5) add Policy Control physical access (55a7f9a0-6397-7589-05ef-5ed59a8149e7) add Policy Establish and document a configuration management plan (526ed90e-890f-69e7-0386-ba5c0f1f784f) add Policy Retain terminated user data (7c7032fe-9ce6-9092-5890-87a1a3755db1) add Policy Manage the input, output, processing, and storage of data (e603da3a-8af7-4f8a-94cb-1bcc0e0333d2) add Policy Obscure feedback information during authentication process (1ff03f2a-974b-3272-34f2-f6cd51420b30) add Policy Document organizational access agreements (c981fa70-2e58-8141-1457-e7f62ebc2ade) add Policy Coordinate contingency plans with related plans (c5784049-959f-6067-420c-f4cefae93076) add Policy Separate duties of individuals (60ee1260-97f0-61bb-8155-5d8b75743655) add Policy Assign an authorizing official (AO) (e29a8f1b-149b-2fa3-969d-ebee1baa9472) add Policy Assess risk in third party relationships (0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08) add Policy Implement incident handling (433de59e-7a53-a766-02c2-f80f8421469a) add Policy Distribute policies and procedures (eff6e4a5-3efe-94dd-2ed1-25d56a019a82) add Policy Train staff on PII sharing and its consequences (8019d788-713d-90a1-5570-dac5052f517d) add Policy Establish privacy requirements for contractors and service providers (f8d141b7-4e21-62a6-6608-c79336e36bc9) add Policy Enforce mandatory and discretionary access control policies (b1666a13-8f67-9c47-155e-69e027ff6823) add Policy Design an access control model (03b6427e-6072-4226-4bd9-a410ab65317e) add Policy Develop organization code of conduct policy (d02498e0-8a6f-6b02-8332-19adf6711d1e) add Policy Create configuration plan protection (874a6f2e-2098-53bc-3a16-20dcdc425a7e) add Policy Develop and document application security requirements (6de65dc4-8b4f-34b7-9290-eb137a2e2929) add Policy Enable detection of network devices (426c172c-9914-10d1-25dd-669641fc1af4) add Policy Develop and maintain a vulnerability management standard (055da733-55c6-9e10-8194-c40731057ec4) add Policy Establish requirements for audit review and reporting (b3c8cc83-20d3-3890-8bc8-5568777670f4) add Policy Implement controls to protect PII (cf79f602-1e60-5423-6c0c-e632c2ea1fc0) add Policy Establish firewall and router configuration standards (398fdbd8-56fd-274d-35c6-fa2d3b2755a1) add Policy Notify when account is not needed (8489ff90-8d29-61df-2d84-f9ab0f4c5e84) add Policy Eradicate contaminated information (54a9c072-4a93-2a03-6a43-a060d30383d7) add Policy Require developers to describe accurate security functionality (3e37c891-840c-3eb4-78d2-e2e0bb5063e0) add Policy Manage a secure surveillance camera system (f2222056-062d-1060-6dc2-0107a68c34b2) add Policy Prevent split tunneling for remote devices (66e5cb69-9f1c-8b8d-8fbd-b832466d5aa8) add Policy Review audit data (6625638f-3ba1-7404-5983-0ea33d719d34) add Policy Assess Security Controls (c423e64d-995c-9f67-0403-b540f65ba42a) add Policy Conduct risk assessment and document its results (1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68) add Policy Integrate audit review, analysis, and reporting (f741c4e6-41eb-15a4-25a2-61ac7ca232f0) add Policy Review administrator assignments weekly (f27a298f-9443-014a-0d40-fef12adf0259) add Policy Restrict access to private keys (8d140e8b-76c7-77de-1d46-ed1b2e112444) add Policy Define information security roles and responsibilities (ef5a7059-6651-73b1-18b3-75b1b79c1565) add Policy Document and implement wireless access guidelines (04b3e7f6-4841-888d-4799-cda19a0084f6) add Policy Define a physical key management process (51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7) add Policy Ensure privacy program information is publicly available (1beb1269-62ee-32cd-21ad-43d6c9750eb6) add Policy Protect audit information (0e696f5a-451f-5c15-5532-044136538491) add Policy Document acquisition contract acceptance criteria (0803eaa7-671c-08a7-52fd-ac419f775e75) add Policy Maintain data breach records (0fd1ca29-677b-2f12-1879-639716459160) add Policy Monitor third-party provider compliance (f8ded0c6-a668-9371-6bb6-661d58787198) add Policy Set automated notifications for new and trending cloud applications in your organization (af38215f-70c4-0cd6-40c2-c52d86690a45) add Policy Require compliance with intellectual property rights (725164e5-3b21-1ec2-7e42-14f077862841) add Policy Establish an information security program (84245967-7882-54f6-2d34-85059f725b47) add Policy Review file and folder activity (ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba) add Policy Develop audit and accountability policies and procedures (a28323fe-276d-3787-32d2-cef6395764c4) add Policy Implement privacy notice delivery methods (06f84330-4c27-21f7-72cd-7488afd50244) add Policy Separately store backup information (fc26e2fd-3149-74b4-5988-d64bb90f8ef7) add Policy Document requirements for the use of shared data in contracts (0ba211ef-0e85-2a45-17fc-401d1b3f8f85) add Policy Authorize access to security functions and information (aeed863a-0f56-429f-945d-8bb66bd06841) add Policy Update contingency plan (14a4fd0a-9100-1e12-1362-792014a28155) add Policy Review malware detections report weekly (4a6f5cbd-6c6b-006f-2bb1-091af1441bce) add Policy Designate personnel to supervise unauthorized maintenance activities (7a489c62-242c-5db9-74df-c073056d6fa3) add Policy Clear personnel with access to classified information (c42f19c9-5d88-92da-0742-371a0ea03126) add Policy Secure the interface to external systems (ff1efad2-6b09-54cc-01bf-d386c4d558a8) add Policy Record disclosures of PII to third parties (8b1da407-5e60-5037-612e-2caa1b590719) add Policy Establish network segmentation for card holder data environment (f476f3b0-4152-526e-a209-44e5f8c968d7) add Policy Remediate information system flaws (be38a620-000b-21cf-3cb3-ea151b704c3b) add Policy Review label activity and analytics (e23444b9-9662-40f3-289e-6d25c02b48fa) add Policy Establish configuration management requirements for developers (8747b573-8294-86a0-8914-49e9b06a5ace) add Policy Manage Authenticators (4aacaec9-0628-272c-3e83-0d68446694e0) Version change: '7.0.0' to '8.0.0'
2022-09-21 16:34:39	Description change: 'This initiative includes policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init.' to 'The International Organization for Standardization (ISO) 27001 standard provides requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). These policies address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init'
2022-06-10 16:31:22	Version change: '5.0.0' to '7.0.0' remove Policy [Deprecated]: API App should only be accessible over HTTPS (b7ddfbdc-1260-477d-91fd-98bd9be789a6)
2022-03-18 17:53:48	Version change: '4.1.0' to '5.0.0'
2022-01-26 17:48:30	Description change: 'This initiative includes audit and virtual machine extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init.' to 'This initiative includes policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init.'
2021-02-09 14:46:37	Description change: 'This initiative includes audit and virtual machine extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-blueprint.' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init.'
2021-01-22 09:14:56	add Policy A vulnerability assessment solution should be enabled on your virtual machines (501541f7-f7e7-4cd6-868c-4190fdad3ac9) remove Policy [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution (760a85ff-6162-42b3-8d70-698e268f648c)
2020-09-09 11:24:08	add Policy Audit Windows machines that do not restrict the minimum password length to specified number of characters (a2d0e922-65d0-40c4-8f87-ea6da2d307a2) add Policy Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity (497dff13-db2a-4c0f-8603-28fa3b331ab6) add Policy Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs (331e8ea8-378a-410f-a2e5-ae22f38bb0da) add Policy Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs (385f5831-96d4-41db-9a3c-cd3af78aaae6) add Policy Audit Windows machines that do not have the maximum password age set to specified number of days (4ceb8dc2-559c-478b-a15b-733fbf1e3738) add Policy Audit Linux machines that allow remote connections from accounts without passwords (ea53dbee-c6c9-4f0e-9f9e-de0039b78023) add Policy Audit Windows machines that do not have the minimum password age set to specified number of days (237b38db-ca4d-4259-9e47-7882441ca2c0) add Policy Audit Windows machines that do not have the password complexity setting enabled (bf16e0bb-31e1-4646-8202-60a235cc7e74) add Policy Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities (3cf2ab00-13f1-4d0c-8971-2ac904541a7e) add Policy Audit Windows machines that do not store passwords using reversible encryption (da0f98fe-a24b-4ad5-af69-bd0400233661) add Policy Audit Linux machines that do not have the passwd file permissions set to 0644 (e6955644-301c-44b5-a4c4-528577de6861) add Policy Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords (5b054a0d-39e2-4d53-bea3-9734cad2c69b) add Policy Audit Linux machines that have accounts without passwords (f6ec09a3-78bf-4f8f-99dc-6c77182d0f99) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters (23020aa6-1135-4be2-bae2-149982b06eca) remove Policy [Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day (5aa11bbc-5c76-4302-80e5-aba46a4282e7) remove Policy [Deprecated]: Show audit results from Linux VMs that have accounts without passwords (c40c9087-1981-4e73-9f53-39743eda9d05) remove Policy [Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords (cdbf72d9-ac9c-4026-8a3a-491a5ac59293) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords (726671ac-c4de-4908-8c7d-6043ae62e3b6) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption (8ff0b18b-262e-4512-857a-48ad0aeb9a78) remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords (3470477a-b35a-49db-aca5-1073d04524fe) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days (356a906e-05e5-4625-8729-90771e0ee934) remove Policy [Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days (24dde96d-f0b1-425e-884f-4a1421e2dcdc) remove Policy [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 (b18175dd-c599-4c64-83ba-bb018a06d35b) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day (16390df4-2f73-4b42-af13-c801066763df) remove Policy [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords (2d67222d-05fd-4526-a171-2ee132ad9e83) remove Policy [Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption (2d60d3b7-aa10-454c-88a8-de39d99d17c6) remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 (f19aa1c1-6b91-4c27-ae6a-970279f03db9) remove Policy [Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters (5aebc8d1-020d-4037-89a0-02043a7524ec) remove Policy [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled (7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8) remove Policy [Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled (f48b2913-1dc5-4834-8c72-ccc1dfd819bb) remove Policy [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords (ec49586f-4939-402d-a29e-6ff502b20592)
2020-06-16 14:55:25	Name change: '[Preview]: Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements' to 'ISO 27001:2013' Description change: 'This initiative includes audit and VM Extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/iso27001-blueprint.' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-blueprint.'
2020-02-20 08:25:18	remove Policy [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM (201ea587-7c90-41c3-910f-c280ae01cfd6)

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC