compliance controls are associated with this Policy definition 'Protect audit information' (0e696f5a-451f-5c15-5532-044136538491)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
5.1.5 |
CIS_Azure_1.1.0_5.1.5 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 |
5 Logging and Monitoring |
Ensure the storage container storing the activity logs is not publicly accessible |
Shared |
The customer is responsible for implementing this recommendation. |
The storage account container containing the activity log export should not be publicly accessible. |
link |
3 |
| CIS_Azure_1.1.0 |
5.1.6 |
CIS_Azure_1.1.0_5.1.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.6 |
5 Logging and Monitoring |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) |
Shared |
The customer is responsible for implementing this recommendation. |
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). |
link |
4 |
| CIS_Azure_1.3.0 |
5.1.3 |
CIS_Azure_1.3.0_5.1.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 |
5 Logging and Monitoring |
Ensure the storage container storing the activity logs is not publicly accessible |
Shared |
The customer is responsible for implementing this recommendation. |
The storage account container containing the activity log export should not be publicly accessible. |
link |
3 |
| CIS_Azure_1.3.0 |
5.1.4 |
CIS_Azure_1.3.0_5.1.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 |
5 Logging and Monitoring |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) |
Shared |
The customer is responsible for implementing this recommendation. |
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). |
link |
4 |
| CIS_Azure_1.4.0 |
5.1.3 |
CIS_Azure_1.4.0_5.1.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 |
5 Logging and Monitoring |
Ensure the storage container storing the activity logs is not publicly accessible |
Shared |
The customer is responsible for implementing this recommendation. |
The storage account container containing the activity log export should not be publicly accessible. |
link |
3 |
| CIS_Azure_1.4.0 |
5.1.4 |
CIS_Azure_1.4.0_5.1.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 |
5 Logging and Monitoring |
Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) |
Shared |
The customer is responsible for implementing this recommendation. |
The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). |
link |
4 |
| CIS_Azure_2.0.0 |
5.1.3 |
CIS_Azure_2.0.0_5.1.3 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.3 |
5.1 |
Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible |
Shared |
Configuring container `Access policy` to `private` will remove access from the container for everyone except owners of the storage account. Access policy needs to be set explicitly in order to allow access to other desired users. |
The storage account container containing the activity log export should not be publicly accessible.
Allowing public access to activity log content may aid an adversary in identifying weaknesses in the affected account's use or configuration. |
link |
3 |
| CIS_Azure_2.0.0 |
5.1.4 |
CIS_Azure_2.0.0_5.1.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 5.1.4 |
5.1 |
Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key |
Shared |
**NOTE:** You must have your key vault setup to utilize this.
All Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure. |
Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).
Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK. |
link |
4 |
| FedRAMP_High_R4 |
AU-9 |
FedRAMP_High_R4_AU-9 |
FedRAMP High AU-9 |
Audit And Accountability |
Protection Of Audit Information |
Shared |
n/a |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6.
References: None. |
link |
2 |
| FedRAMP_High_R4 |
AU-9(4) |
FedRAMP_High_R4_AU-9(4) |
FedRAMP High AU-9 (4) |
Audit And Accountability |
Access By Subset Of Privileged Users |
Shared |
n/a |
The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].
Supplemental Guidance: Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges. Related control: AC-5. |
link |
1 |
| FedRAMP_Moderate_R4 |
AU-9 |
FedRAMP_Moderate_R4_AU-9 |
FedRAMP Moderate AU-9 |
Audit And Accountability |
Protection Of Audit Information |
Shared |
n/a |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6.
References: None. |
link |
2 |
| FedRAMP_Moderate_R4 |
AU-9(4) |
FedRAMP_Moderate_R4_AU-9(4) |
FedRAMP Moderate AU-9 (4) |
Audit And Accountability |
Access By Subset Of Privileged Users |
Shared |
n/a |
The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].
Supplemental Guidance: Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges. Related control: AC-5. |
link |
1 |
| hipaa |
1207.09aa2System.4-09.aa |
hipaa-1207.09aa2System.4-09.aa |
1207.09aa2System.4-09.aa |
12 Audit Logging & Monitoring |
1207.09aa2System.4-09.aa 09.10 Monitoring |
Shared |
n/a |
Audit records are retained for 90 days and older audit records are archived for one year. |
|
13 |
| hipaa |
1232.09c3Organizational.12-09.c |
hipaa-1232.09c3Organizational.12-09.c |
1232.09c3Organizational.12-09.c |
12 Audit Logging & Monitoring |
1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. |
|
21 |
| hipaa |
1271.09ad1System.1-09.ad |
hipaa-1271.09ad1System.1-09.ad |
1271.09ad1System.1-09.ad |
12 Audit Logging & Monitoring |
1271.09ad1System.1-09.ad 09.10 Monitoring |
Shared |
n/a |
An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. |
|
8 |
| hipaa |
1271.09ad2System.1 |
hipaa-1271.09ad2System.1 |
1271.09ad2System.1 |
12 Audit Logging & Monitoring |
1271.09ad2System.1 09.10 Monitoring |
Shared |
n/a |
An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. |
|
7 |
| hipaa |
1276.09c2Organizational.2-09.c |
hipaa-1276.09c2Organizational.2-09.c |
1276.09c2Organizational.2-09.c |
12 Audit Logging & Monitoring |
1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Security audit activities are independent. |
|
18 |
| ISO27001-2013 |
A.12.4.2 |
ISO27001-2013_A.12.4.2 |
ISO 27001:2013 A.12.4.2 |
Operations Security |
Protection of log information |
Shared |
n/a |
Logging facilities and log information shall be protected against tampering and unauthorized access. |
link |
8 |
| ISO27001-2013 |
A.12.4.3 |
ISO27001-2013_A.12.4.3 |
ISO 27001:2013 A.12.4.3 |
Operations Security |
Administrator and operator logs |
Shared |
n/a |
System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. |
link |
29 |
| ISO27001-2013 |
A.18.1.3 |
ISO27001-2013_A.18.1.3 |
ISO 27001:2013 A.18.1.3 |
Compliance |
Protection of records |
Shared |
n/a |
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislative, regulatory, contractual and business requirements. |
link |
15 |
| NIST_SP_800-171_R2_3 |
.3.8 |
NIST_SP_800-171_R2_3.3.8 |
NIST SP 800-171 R2 3.3.8 |
Audit and Accountability |
Protect audit information and audit logging tools from unauthorized access, modification, and deletion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements. |
link |
4 |
| NIST_SP_800-171_R2_3 |
.3.9 |
NIST_SP_800-171_R2_3.3.9 |
NIST SP 800-171 R2 3.3.9 |
Audit and Accountability |
Limit management of audit logging functionality to a subset of privileged users. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Individuals with privileged access to a system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit logging activities or modifying audit records. This requirement specifies that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges. |
link |
1 |
| NIST_SP_800-53_R4 |
AU-9 |
NIST_SP_800-53_R4_AU-9 |
NIST SP 800-53 Rev. 4 AU-9 |
Audit And Accountability |
Protection Of Audit Information |
Shared |
n/a |
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6.
References: None. |
link |
2 |
| NIST_SP_800-53_R4 |
AU-9(4) |
NIST_SP_800-53_R4_AU-9(4) |
NIST SP 800-53 Rev. 4 AU-9 (4) |
Audit And Accountability |
Access By Subset Of Privileged Users |
Shared |
n/a |
The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].
Supplemental Guidance: Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges. Related control: AC-5. |
link |
1 |
| NIST_SP_800-53_R5 |
AU-9 |
NIST_SP_800-53_R5_AU-9 |
NIST SP 800-53 Rev. 5 AU-9 |
Audit and Accountability |
Protection of Audit Information |
Shared |
n/a |
a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and
b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. |
link |
2 |
| NIST_SP_800-53_R5 |
AU-9(4) |
NIST_SP_800-53_R5_AU-9(4) |
NIST SP 800-53 Rev. 5 AU-9 (4) |
Audit and Accountability |
Access by Subset of Privileged Users |
Shared |
n/a |
Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. |
link |
1 |
|
op.exp.8 Recording of the activity |
op.exp.8 Recording of the activity |
404 not found |
|
|
|
n/a |
n/a |
|
67 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
| PCI_DSS_v4.0 |
10.3.1 |
PCI_DSS_v4.0_10.3.1 |
PCI DSS v4.0 10.3.1 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Audit logs are protected from destruction and unauthorized modifications |
Shared |
n/a |
Read access to audit logs files is limited to those with a job-related need. |
link |
2 |
| PCI_DSS_v4.0 |
10.3.2 |
PCI_DSS_v4.0_10.3.2 |
PCI DSS v4.0 10.3.2 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Audit logs are protected from destruction and unauthorized modifications |
Shared |
n/a |
Audit log files are protected to prevent modifications by individuals. |
link |
2 |
| PCI_DSS_v4.0 |
10.3.4 |
PCI_DSS_v4.0_10.3.4 |
PCI DSS v4.0 10.3.4 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Audit logs are protected from destruction and unauthorized modifications |
Shared |
n/a |
File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts. |
link |
2 |
| SWIFT_CSCF_v2022 |
5.1 |
SWIFT_CSCF_v2022_5.1 |
SWIFT CSCF v2022 5.1 |
5. Manage Identities and Segregate Privileges |
Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. |
Shared |
n/a |
Accounts are defined according to the security principles of need-to-know access, least privilege, and separation of duties. |
link |
35 |