AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Configure workstations to check for digital certificates | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Configure workstations to check for digital certificates
Id 26daf649-22d1-97e9-2a8a-01b182194d59
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0073 - Configure workstations to check for digital certificates
Additional metadata Name/Id: CMA_0073 / CMA_0073
Category: Operational
Title: Configure workstations to check for digital certificates
Ownership: Customer
Description: Microsoft recommends that your organization implement a process to check the validity of all Azure sites prior to logging in by reviewing the digital certificate on the site to ensure they are valid Azure sites. US Government customers are responsible for having a process in place to check the validity of the Microsoft Azure websites prior to signing on by reviewing the digital certificate on the site to ensure they are the Microsoft Azure websites. If government customers are using USGCB baselines, supported web browsers will enforce this review automatically by default and prevent connections if the digital certificate is invalid. Your organization should consider creating and maintaining System and Communications Protection policies and standard operating procedures that describe the mechanisms that are in place to ensure session authenticity. https://docs.microsoft.com/azure/key-vault/general/about-keys-secrets-certificates
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 83 compliance controls are associated with this Policy definition 'Configure workstations to check for digital certificates' (26daf649-22d1-97e9-2a8a-01b182194d59)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 3.1 CIS_Azure_1.1.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Storage Accounts Ensure that 'Secure transfer required' is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable data encryption in transit. link 4
CIS_Azure_1.1.0 3.5 CIS_Azure_1.1.0_3.5 CIS Microsoft Azure Foundations Benchmark recommendation 3.5 3 Storage Accounts Ensure that shared access signature tokens are allowed only over https Shared The customer is responsible for implementing this recommendation. Shared access signature tokens should be allowed only over HTTPS protocol. link 3
CIS_Azure_1.1.0 4.11 CIS_Azure_1.1.0_4.11 CIS Microsoft Azure Foundations Benchmark recommendation 4.11 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'MYSQL' Servers. link 4
CIS_Azure_1.1.0 4.13 CIS_Azure_1.1.0_4.13 CIS Microsoft Azure Foundations Benchmark recommendation 4.13 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'PostgreSQL' Servers. link 4
CIS_Azure_1.1.0 9.2 CIS_Azure_1.1.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 AppService Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. link 4
CIS_Azure_1.1.0 9.3 CIS_Azure_1.1.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 AppService Ensure web app is using the latest version of TLS encryption Shared The customer is responsible for implementing this recommendation. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. link 5
CIS_Azure_1.3.0 3.1 CIS_Azure_1.3.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Storage Accounts Ensure that 'Secure transfer required' is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable data encryption in transit. link 4
CIS_Azure_1.3.0 4.3.1 CIS_Azure_1.3.0_4.3.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'PostgreSQL' Servers. link 4
CIS_Azure_1.3.0 4.3.2 CIS_Azure_1.3.0_4.3.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.2 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'MYSQL' Servers. link 4
CIS_Azure_1.3.0 9.10 CIS_Azure_1.3.0_9.10 CIS Microsoft Azure Foundations Benchmark recommendation 9.10 9 AppService Ensure FTP deployments are disabled Shared The customer is responsible for implementing this recommendation. By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions. link 5
CIS_Azure_1.3.0 9.2 CIS_Azure_1.3.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 AppService Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. link 4
CIS_Azure_1.3.0 9.3 CIS_Azure_1.3.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 AppService Ensure web app is using the latest version of TLS encryption Shared The customer is responsible for implementing this recommendation. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. link 5
CIS_Azure_1.4.0 3.1 CIS_Azure_1.4.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Storage Accounts Ensure that 'Secure transfer required' is set to 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable data encryption in transit. link 4
CIS_Azure_1.4.0 3.12 CIS_Azure_1.4.0_3.12 CIS Microsoft Azure Foundations Benchmark recommendation 3.12 3 Storage Accounts Ensure the "Minimum TLS version" is set to "Version 1.2" Shared The customer is responsible for implementing this recommendation. Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. link 3
CIS_Azure_1.4.0 4.3.1 CIS_Azure_1.4.0_4.3.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 4 Database Services Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'PostgreSQL' Servers. link 4
CIS_Azure_1.4.0 4.4.1 CIS_Azure_1.4.0_4.4.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.4.1 4 Database Services Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server Shared The customer is responsible for implementing this recommendation. Enable 'SSL connection' on 'MYSQL' Servers. link 3
CIS_Azure_1.4.0 4.4.2 CIS_Azure_1.4.0_4.4.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.4.2 4 Database Services Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server Shared The customer is responsible for implementing this recommendation. Ensure 'TLS version' on 'MySQL flexible' servers is set to the default value. link 3
CIS_Azure_1.4.0 9.10 CIS_Azure_1.4.0_9.10 CIS Microsoft Azure Foundations Benchmark recommendation 9.10 9 AppService Ensure FTP deployments are Disabled Shared The customer is responsible for implementing this recommendation. By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions. link 5
CIS_Azure_1.4.0 9.2 CIS_Azure_1.4.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 AppService Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. link 4
CIS_Azure_1.4.0 9.3 CIS_Azure_1.4.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 AppService Ensure Web App is using the latest version of TLS encryption Shared The customer is responsible for implementing this recommendation. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. link 5
CIS_Azure_2.0.0 3.1 CIS_Azure_2.0.0_3.1 CIS Microsoft Azure Foundations Benchmark recommendation 3.1 3 Ensure that 'Secure transfer required' is set to 'Enabled' Shared n/a Enable data encryption in transit. The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name. link 4
CIS_Azure_2.0.0 3.15 CIS_Azure_2.0.0_3.15 CIS Microsoft Azure Foundations Benchmark recommendation 3.15 3 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" Shared When set to TLS 1.2 all requests must leverage this version of the protocol. Applications leveraging legacy versions of the protocol will fail. In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. TLS 1.0 has known vulnerabilities and has been replaced by later versions of the TLS protocol. Continued use of this legacy protocol affects the security of data in transit. link 4
CIS_Azure_2.0.0 4.3.1 CIS_Azure_2.0.0_4.3.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.3.1 4.3 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server Shared n/a Enable `SSL connection` on `PostgreSQL` Servers. `SSL connectivity` helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application. link 4
CIS_Azure_2.0.0 4.4.1 CIS_Azure_2.0.0_4.4.1 CIS Microsoft Azure Foundations Benchmark recommendation 4.4.1 4.4 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server Shared n/a Enable `SSL connection` on `MYSQL` Servers. SSL connectivity helps to provide a new layer of security by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application. link 4
CIS_Azure_2.0.0 4.4.2 CIS_Azure_2.0.0_4.4.2 CIS Microsoft Azure Foundations Benchmark recommendation 4.4.2 4.4 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server Shared n/a Ensure `TLS version` on `MySQL flexible` servers is set to the default value. TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS). Enforcing TLS connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application. link 3
CIS_Azure_2.0.0 9.10 CIS_Azure_2.0.0_9.10 CIS Microsoft Azure Foundations Benchmark recommendation 9.10 9 Ensure FTP deployments are Disabled Shared Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected. By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions. Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App. link 5
CIS_Azure_2.0.0 9.2 CIS_Azure_2.0.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service Shared When it is enabled, every incoming HTTP request is redirected to the HTTPS port. This means an extra level of security will be added to the HTTP requests made to the app. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. Enabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection which is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits. link 4
CIS_Azure_2.0.0 9.3 CIS_Azure_2.0.0_9.3 CIS Microsoft Azure Foundations Benchmark recommendation 9.3 9 Ensure Web App is using the latest version of TLS encryption Shared n/a The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS. App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections. link 5
FedRAMP_High_R4 SC-23 FedRAMP_High_R4_SC-23 FedRAMP High SC-23 System And Communications Protection Session Authenticity Shared n/a The information system protects the authenticity of communications sessions. Supplemental Guidance: This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11. References: NIST Special Publications 800-52, 800-77, 800-95. link 2
FedRAMP_High_R4 SC-8(1) FedRAMP_High_R4_SC-8(1) FedRAMP High SC-8 (1) System And Communications Protection Cryptographic Or Alternate Physical Protection Shared n/a The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. link 14
FedRAMP_Moderate_R4 SC-23 FedRAMP_Moderate_R4_SC-23 FedRAMP Moderate SC-23 System And Communications Protection Session Authenticity Shared n/a The information system protects the authenticity of communications sessions. Supplemental Guidance: This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11. References: NIST Special Publications 800-52, 800-77, 800-95. link 2
FedRAMP_Moderate_R4 SC-8(1) FedRAMP_Moderate_R4_SC-8(1) FedRAMP Moderate SC-8 (1) System And Communications Protection Cryptographic Or Alternate Physical Protection Shared n/a The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. link 14
hipaa 0810.01n2Organizational.5-01.n hipaa-0810.01n2Organizational.5-01.n 0810.01n2Organizational.5-01.n 08 Network Protection 0810.01n2Organizational.5-01.n 01.04 Network Access Control Shared n/a Transmitted information is secured and, at a minimum, encrypted over open, public networks. 16
hipaa 08101.09m2Organizational.14-09.m hipaa-08101.09m2Organizational.14-09.m 08101.09m2Organizational.14-09.m 08 Network Protection 08101.09m2Organizational.14-09.m 09.06 Network Security Management Shared n/a The organization uses secured and encrypted communication channels when migrating physical servers, applications, or data to virtualized servers. 8
hipaa 0862.09m2Organizational.8-09.m hipaa-0862.09m2Organizational.8-09.m 0862.09m2Organizational.8-09.m 08 Network Protection 0862.09m2Organizational.8-09.m 09.06 Network Security Management Shared n/a The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception. 4
hipaa 0901.09s1Organizational.1-09.s hipaa-0901.09s1Organizational.1-09.s 0901.09s1Organizational.1-09.s 09 Transmission Protection 0901.09s1Organizational.1-09.s 09.08 Exchange of Information Shared n/a The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. 31
hipaa 0903.10f1Organizational.1-10.f hipaa-0903.10f1Organizational.1-10.f 0903.10f1Organizational.1-10.f 09 Transmission Protection 0903.10f1Organizational.1-10.f 10.03 Cryptographic Controls Shared n/a Encryption is used to protect covered information on mobile/removable media and across communication lines based on pre-determined criteria. 3
hipaa 0913.09s1Organizational.5-09.s hipaa-0913.09s1Organizational.5-09.s 0913.09s1Organizational.5-09.s 09 Transmission Protection 0913.09s1Organizational.5-09.s 09.08 Exchange of Information Shared n/a Strong cryptography protocols are used to safeguard covered information during transmission over less trusted/open public networks. 5
hipaa 0926.09v1Organizational.2-09.v hipaa-0926.09v1Organizational.2-09.v 0926.09v1Organizational.2-09.v 09 Transmission Protection 0926.09v1Organizational.2-09.v 09.08 Exchange of Information Shared n/a Approvals are obtained prior to using external public services, including instant messaging or file sharing. 5
hipaa 0928.09v1Organizational.45-09.v hipaa-0928.09v1Organizational.45-09.v 0928.09v1Organizational.45-09.v 09 Transmission Protection 0928.09v1Organizational.45-09.v 09.08 Exchange of Information Shared n/a Stronger controls are implemented to protect certain electronic messages, and electronic messages are protected throughout the duration of its end-to-end transport path, using cryptographic mechanisms unless protected by alternative measures. 9
hipaa 0929.09v1Organizational.6-09.v hipaa-0929.09v1Organizational.6-09.v 0929.09v1Organizational.6-09.v 09 Transmission Protection 0929.09v1Organizational.6-09.v 09.08 Exchange of Information Shared n/a The organization never sends unencrypted sensitive information by end-user messaging technologies (e.g., email, instant messaging, and chat). 9
hipaa 0943.09y1Organizational.1-09.y hipaa-0943.09y1Organizational.1-09.y 0943.09y1Organizational.1-09.y 09 Transmission Protection 0943.09y1Organizational.1-09.y 09.09 Electronic Commerce Services Shared n/a Data involved in electronic commerce and online transactions is checked to determine if it contains covered information. 4
hipaa 0944.09y1Organizational.2-09.y hipaa-0944.09y1Organizational.2-09.y 0944.09y1Organizational.2-09.y 09 Transmission Protection 0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services Shared n/a Security is maintained through all aspects of the transaction. 8
hipaa 0945.09y1Organizational.3-09.y hipaa-0945.09y1Organizational.3-09.y 0945.09y1Organizational.3-09.y 09 Transmission Protection 0945.09y1Organizational.3-09.y 09.09 Electronic Commerce Services Shared n/a Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). 6
hipaa 0948.09y2Organizational.3-09.y hipaa-0948.09y2Organizational.3-09.y 0948.09y2Organizational.3-09.y 09 Transmission Protection 0948.09y2Organizational.3-09.y 09.09 Electronic Commerce Services Shared n/a Where a trusted authority is used (e.g., for the purposes of issuing and maintaining digital signatures and/or digital certificates), security is integrated and embedded throughout the entire end-to-end certificate/signature management process. 6
hipaa 099.09m2Organizational.11-09.m hipaa-099.09m2Organizational.11-09.m 099.09m2Organizational.11-09.m 09 Transmission Protection 099.09m2Organizational.11-09.m 09.06 Network Security Management Shared n/a The organization uses FIPS-validated cryptographic mechanisms during transmission to prevent unauthorized disclosure of information and detect changes to information unless otherwise protected by organization-defined alternative physical measures. 3
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.13.1.3 ISO27001-2013_A.13.1.3 ISO 27001:2013 A.13.1.3 Communications Security Segregation of networks Shared n/a Groups of information services, users, and information systems shall be segregated on networks. link 17
ISO27001-2013 A.13.2.1 ISO27001-2013_A.13.2.1 ISO 27001:2013 A.13.2.1 Communications Security Information transfer policies and procedures Shared n/a Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. link 32
ISO27001-2013 A.13.2.3 ISO27001-2013_A.13.2.3 ISO 27001:2013 A.13.2.3 Communications Security Electronic messaging Shared n/a Information involved in electronic messaging shall be appropriately protected. link 10
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.14.1.3 ISO27001-2013_A.14.1.3 ISO 27001:2013 A.14.1.3 System Acquisition, Development And Maintenance Protecting application services transactions Shared n/a Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. link 29
ISO27001-2013 A.8.2.3 ISO27001-2013_A.8.2.3 ISO 27001:2013 A.8.2.3 Asset Management Handling of assets Shared n/a Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 26
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
mp.info.2 Rating of information mp.info.2 Rating of information 404 not found n/a n/a 45
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
mp.info.4 Time stamps mp.info.4 Time stamps 404 not found n/a n/a 33
mp.s.1 E-mail protection mp.s.1 E-mail protection 404 not found n/a n/a 48
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
NIST_SP_800-171_R2_3 .13.15 NIST_SP_800-171_R2_3.13.15 NIST SP 800-171 R2 3.13.15 System and Communications Protection Protect the authenticity of communications sessions. Shared Microsoft and the customer share responsibilities for implementing this requirement. Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. [SP 800-77], [SP 800-95], and [SP 800-113] provide guidance on secure communications sessions. link 2
NIST_SP_800-171_R2_3 .13.8 NIST_SP_800-171_R2_3.13.8 NIST SP 800-171 R2 3.13.8 System and Communications Protection Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO]. link 16
NIST_SP_800-53_R4 SC-23 NIST_SP_800-53_R4_SC-23 NIST SP 800-53 Rev. 4 SC-23 System And Communications Protection Session Authenticity Shared n/a The information system protects the authenticity of communications sessions. Supplemental Guidance: This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11. References: NIST Special Publications 800-52, 800-77, 800-95. link 2
NIST_SP_800-53_R4 SC-8(1) NIST_SP_800-53_R4_SC-8(1) NIST SP 800-53 Rev. 4 SC-8 (1) System And Communications Protection Cryptographic Or Alternate Physical Protection Shared n/a The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. link 14
NIST_SP_800-53_R5 SC-23 NIST_SP_800-53_R5_SC-23 NIST SP 800-53 Rev. 5 SC-23 System and Communications Protection Session Authenticity Shared n/a Protect the authenticity of communications sessions. link 2
NIST_SP_800-53_R5 SC-8(1) NIST_SP_800-53_R5_SC-8(1) NIST SP 800-53 Rev. 5 SC-8 (1) System and Communications Protection Cryptographic Protection Shared n/a Implement cryptographic mechanisms to [Selection (OneOrMore): prevent unauthorized disclosure of information;detect changes to information] during transmission. link 14
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.exp.2 Security configuration op.exp.2 Security configuration 404 not found n/a n/a 112
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 50
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
op.pl.3 Acquisition of new components op.pl.3 Acquisition of new components 404 not found n/a n/a 61
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 126
PCI_DSS_v4.0 4.2.1 PCI_DSS_v4.0_4.2.1 PCI DSS v4.0 4.2.1 Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks PAN is protected with strong cryptography during transmission Shared n/a Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: • Only trusted keys and certificates are accepted. • Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details. • The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. • The encryption strength is appropriate for the encryption methodology in use. link 12
PCI_DSS_v4.0 4.2.2 PCI_DSS_v4.0_4.2.2 PCI DSS v4.0 4.2.2 Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks PAN is protected with strong cryptography during transmission Shared n/a PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. link 3
SOC_2 CC6.7 SOC_2_CC6.7 SOC 2 Type 2 CC6.7 Logical and Physical Access Controls Restrict the movement of information to authorized users Shared The customer is responsible for implementing this recommendation. • Restricts the Ability to Perform Transmission — Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement, and removal of information. • Uses Encryption Technologies or Secure Communication Channels to Protect Data — Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. • Protects Removal Media — Encryption technologies and physical asset protections are used for removable media (such as USB drives and backup tapes), as appropriate. • Protects Mobile Devices — Processes are in place to protect mobile devices (such as laptops, smart phones, and tablets) that serve as information assets 29
SWIFT_CSCF_v2022 2.1 SWIFT_CSCF_v2022_2.1 SWIFT CSCF v2022 2.1 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. Shared n/a Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. link 36
SWIFT_CSCF_v2022 2.4 SWIFT_CSCF_v2022_2.4 SWIFT CSCF v2022 2.4 2. Reduce Attack Surface and Vulnerabilities Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to. Shared n/a Confidentiality, integrity, and authentication mechanisms (at system, transport or message level) are implemented to protect data flows between SWIFT infrastructure components and the back-office first hops they connect to. link 7
SWIFT_CSCF_v2022 2.5 SWIFT_CSCF_v2022_2.5 SWIFT CSCF v2022 2.5 2. Reduce Attack Surface and Vulnerabilities Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. Shared n/a Sensitive SWIFT-related data that leaves the secure zone as a result of operating system/application back-ups, business transaction data replication for archiving or recovery purposes, or extraction for offline processing is protected when stored outside of a secure zone and is encrypted while in transit. link 7
SWIFT_CSCF_v2022 2.6 SWIFT_CSCF_v2022_2.6 SWIFT CSCF v2022 2.6 2. Reduce Attack Surface and Vulnerabilities Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications Shared n/a The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. link 17
SWIFT_CSCF_v2022 6.2 SWIFT_CSCF_v2022_6.2 SWIFT CSCF v2022 6.2 6. Detect Anomalous Activity to Systems or Transaction Records Ensure the software integrity of the SWIFT-related components and act upon results. Shared n/a A software integrity check is performed at regular intervals on messaging interface, communication interface, and other SWIFT-related components and results are considered for appropriate resolving actions. link 6
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add 26daf649-22d1-97e9-2a8a-01b182194d59
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC