compliance controls are associated with this Policy definition 'Document security operations' (2c6bee3a-2180-2430-440d-db3c7a849870)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
2.2 |
CIS_Azure_1.1.0_2.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.2 |
2 Security Center |
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable automatic provisioning of the monitoring agent to collect security data. |
link |
2 |
| CIS_Azure_1.1.0 |
7.6 |
CIS_Azure_1.1.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 Virtual Machines |
Ensure that the endpoint protection for all Virtual Machines is installed |
Shared |
The customer is responsible for implementing this recommendation. |
Install endpoint protection for all virtual machines. |
link |
10 |
| CIS_Azure_1.3.0 |
2.11 |
CIS_Azure_1.3.0_2.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.11 |
2 Security Center |
Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable automatic provisioning of the monitoring agent to collect security data. |
link |
2 |
| CIS_Azure_1.3.0 |
7.6 |
CIS_Azure_1.3.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 Virtual Machines |
Ensure that the endpoint protection for all Virtual Machines is installed |
Shared |
The customer is responsible for implementing this recommendation. |
Install endpoint protection for all virtual machines. |
link |
11 |
| CIS_Azure_1.4.0 |
2.11 |
CIS_Azure_1.4.0_2.11 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.11 |
2 Microsoft Defender for Cloud |
Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Shared |
The customer is responsible for implementing this recommendation. |
Enable automatic provisioning of the monitoring agent to collect security data. |
link |
2 |
| CIS_Azure_1.4.0 |
7.6 |
CIS_Azure_1.4.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 Virtual Machines |
Ensure that the endpoint protection for all Virtual Machines is installed |
Shared |
The customer is responsible for implementing this recommendation. |
Install endpoint protection for all virtual machines. |
link |
10 |
| CIS_Azure_2.0.0 |
2.1.15 |
CIS_Azure_2.0.0_2.1.15 |
CIS Microsoft Azure Foundations Benchmark recommendation 2.1.15 |
2.1 |
Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' |
Shared |
n/a |
Enable automatic provisioning of the monitoring agent to collect security data.
When `Log Analytics agent for Azure VMs` is turned on, Microsoft Defender for Cloud provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts. |
link |
2 |
| CIS_Azure_2.0.0 |
7.6 |
CIS_Azure_2.0.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 |
Ensure that Endpoint Protection for all Virtual Machines is installed |
Shared |
Endpoint protection will incur an additional cost to you. |
Install endpoint protection for all virtual machines.
Installing endpoint protection systems (like anti-malware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. These also offer configurable alerts when known-malicious or unwanted software attempts to install itself or run on Azure systems. |
link |
10 |
| FedRAMP_High_R4 |
IR-6(1) |
FedRAMP_High_R4_IR-6(1) |
FedRAMP High IR-6 (1) |
Incident Response |
Automated Reporting |
Shared |
n/a |
The organization employs automated mechanisms to assist in the reporting of security incidents.
Supplemental Guidance: Related control: IR-7. |
link |
1 |
| FedRAMP_High_R4 |
IR-7 |
FedRAMP_High_R4_IR-7 |
FedRAMP High IR-7 |
Incident Response |
Incident Response Assistance |
Shared |
n/a |
The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.
Supplemental Guidance: Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required. Related controls: AT-2, IR-4, IR-6, IR-8, SA-9. |
link |
1 |
| FedRAMP_High_R4 |
SI-4(2) |
FedRAMP_High_R4_SI-4(2) |
FedRAMP High SI-4 (2) |
System And Information Integrity |
Automated Tools For Real-Time Analysis |
Shared |
n/a |
The organization employs automated tools to support near real-time analysis of events.
Supplemental Guidance: Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems. |
link |
2 |
| FedRAMP_Moderate_R4 |
IR-6(1) |
FedRAMP_Moderate_R4_IR-6(1) |
FedRAMP Moderate IR-6 (1) |
Incident Response |
Automated Reporting |
Shared |
n/a |
The organization employs automated mechanisms to assist in the reporting of security incidents.
Supplemental Guidance: Related control: IR-7. |
link |
1 |
| FedRAMP_Moderate_R4 |
IR-7 |
FedRAMP_Moderate_R4_IR-7 |
FedRAMP Moderate IR-7 |
Incident Response |
Incident Response Assistance |
Shared |
n/a |
The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.
Supplemental Guidance: Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required. Related controls: AT-2, IR-4, IR-6, IR-8, SA-9. |
link |
1 |
| FedRAMP_Moderate_R4 |
SI-4(2) |
FedRAMP_Moderate_R4_SI-4(2) |
FedRAMP Moderate SI-4 (2) |
System And Information Integrity |
Automated Tools For Real-Time Analysis |
Shared |
n/a |
The organization employs automated tools to support near real-time analysis of events.
Supplemental Guidance: Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems. |
link |
2 |
| hipaa |
1216.09ab3System.12-09.ab |
hipaa-1216.09ab3System.12-09.ab |
1216.09ab3System.12-09.ab |
12 Audit Logging & Monitoring |
1216.09ab3System.12-09.ab 09.10 Monitoring |
Shared |
n/a |
Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies. |
|
20 |
| hipaa |
1218.09ab3System.47-09.ab |
hipaa-1218.09ab3System.47-09.ab |
1218.09ab3System.47-09.ab |
12 Audit Logging & Monitoring |
1218.09ab3System.47-09.ab 09.10 Monitoring |
Shared |
n/a |
Automated systems support near real-time analysis and alerting of events (e.g., malicious code, potential intrusions) and integrate intrusion detection into access and flow control mechanisms. |
|
7 |
| hipaa |
1503.02f2Organizational.12-02.f |
hipaa-1503.02f2Organizational.12-02.f |
1503.02f2Organizational.12-02.f |
15 Incident Management |
1503.02f2Organizational.12-02.f 02.03 During Employment |
Shared |
n/a |
A contact in HR is appointed to handle employee security incidents and notify the CISO or a designated representative of the application of a formal employee sanctions process, identifying the individual and the reason for the sanction. |
|
11 |
| hipaa |
1504.06e1Organizational.34-06.e |
hipaa-1504.06e1Organizational.34-06.e |
1504.06e1Organizational.34-06.e |
15 Incident Management |
1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Management approves the use of information assets and takes appropriate action when unauthorized activity occurs. |
|
16 |
| hipaa |
1505.11a1Organizational.13-11.a |
hipaa-1505.11a1Organizational.13-11.a |
1505.11a1Organizational.13-11.a |
15 Incident Management |
1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
A formal security incident response program has been established to respond, report (without fear of repercussion), escalate and treat breaches and reported security events or incidents. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting includes notifying internal and external stakeholders, the appropriate community Computer Emergency Response Team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving such organizations in computer incidents. |
|
19 |
| hipaa |
1506.11a1Organizational.2-11.a |
hipaa-1506.11a1Organizational.2-11.a |
1506.11a1Organizational.2-11.a |
15 Incident Management |
1506.11a1Organizational.2-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
There is a point of contact for reporting information security events who is made known throughout the organization, always available, and able to provide adequate and timely response. The organization also maintains a list of third-party contact information (e.g., the email addresses of their information security officers), which can be used to report a security incident. |
|
10 |
| hipaa |
1508.11a2Organizational.1-11.a |
hipaa-1508.11a2Organizational.1-11.a |
1508.11a2Organizational.1-11.a |
15 Incident Management |
1508.11a2Organizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
The organization provides a process/mechanism to anonymously report security issues. |
|
8 |
| hipaa |
1509.11a2Organizational.236-11.a |
hipaa-1509.11a2Organizational.236-11.a |
1509.11a2Organizational.236-11.a |
15 Incident Management |
1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
The incident management program formally defines information security incidents and the phases of incident response; roles and responsibilities; incident handling, reporting and communication processes; third-party relationships and the handling of third-party breaches; and the supporting forensics program. The organization formally assigns job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles. |
|
17 |
| hipaa |
1510.11a2Organizational.47-11.a |
hipaa-1510.11a2Organizational.47-11.a |
1510.11a2Organizational.47-11.a |
15 Incident Management |
1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
Reports and communications are made without unreasonable delay and no later than 60 days after the discovery of an incident, unless otherwise stated by law enforcement orally or in writing, and include the necessary elements. |
|
11 |
| hipaa |
1511.11a2Organizational.5-11.a |
hipaa-1511.11a2Organizational.5-11.a |
1511.11a2Organizational.5-11.a |
15 Incident Management |
1511.11a2Organizational.5-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
All employees, contractors and third-party users receive mandatory incident response training to ensure they are aware of their responsibilities to report information security events as quickly as possible, the procedure for reporting information security events, and the point(s) of contact, including the incident response team, and the contact information is published and made readily available. |
|
13 |
| hipaa |
1512.11a2Organizational.8-11.a |
hipaa-1512.11a2Organizational.8-11.a |
1512.11a2Organizational.8-11.a |
15 Incident Management |
1512.11a2Organizational.8-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
Intrusion detection/information protection system (IDS/IPS) alerts are utilized for reporting information security events. |
|
17 |
| hipaa |
1516.11c1Organizational.12-11.c |
hipaa-1516.11c1Organizational.12-11.c |
1516.11c1Organizational.12-11.c |
15 Incident Management |
1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
The security incident response program accounts for and prepares the organization for a variety of incidents. |
|
10 |
| hipaa |
1517.11c1Organizational.3-11.c |
hipaa-1517.11c1Organizational.3-11.c |
1517.11c1Organizational.3-11.c |
15 Incident Management |
1517.11c1Organizational.3-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
There is a point of contact who is responsible for coordinating incident responses and has the authority to direct actions required in all phases of the incident response process. |
|
6 |
| hipaa |
1519.11c2Organizational.2-11.c |
hipaa-1519.11c2Organizational.2-11.c |
1519.11c2Organizational.2-11.c |
15 Incident Management |
1519.11c2Organizational.2-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
For unauthorized disclosures of covered information, a log is maintained and annually submitted to the appropriate parties (e.g., a state, regional or national regulatory agency). |
|
14 |
| hipaa |
1522.11c3Organizational.13-11.c |
hipaa-1522.11c3Organizational.13-11.c |
1522.11c3Organizational.13-11.c |
15 Incident Management |
1522.11c3Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
An incident response support resource, who is an integral part of the organization's incident response capability, is available to offer advice and assistance to users of information systems for the handling and reporting of security incidents in a timely manner. |
|
6 |
| hipaa |
1523.11c3Organizational.24-11.c |
hipaa-1523.11c3Organizational.24-11.c |
1523.11c3Organizational.24-11.c |
15 Incident Management |
1523.11c3Organizational.24-11.c 11.02 Management of Information Security Incidents and Improvements |
Shared |
n/a |
Incidents are promptly reported to the appropriate authorities and outside parties (e.g., FedCIRC, CERT/CC). |
|
4 |
| ISO27001-2013 |
A.16.1.2 |
ISO27001-2013_A.16.1.2 |
ISO 27001:2013 A.16.1.2 |
Information Security Incident Management |
Reporting information security events |
Shared |
n/a |
Information security events shall be reported through appropriate management channels as quickly as possible. |
link |
14 |
| ISO27001-2013 |
A.16.1.3 |
ISO27001-2013_A.16.1.3 |
ISO 27001:2013 A.16.1.3 |
Information Security Incident Management |
Reporting information security weaknesses |
Shared |
n/a |
Employees and contractors using the organization's information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services. |
link |
4 |
| NIST_SP_800-171_R2_3 |
.14.6 |
NIST_SP_800-171_R2_3.14.6 |
NIST SP 800-171 R2 3.14.6 |
System and Information Integrity |
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. [SP 800-94] provides guidance on intrusion detection and prevention systems. |
link |
27 |
| NIST_SP_800-171_R2_3 |
.6.1 |
NIST_SP_800-171_R2_3.6.1 |
NIST SP 800-171 R2 3.6.1 |
Incident response |
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. [SP 800-61] provides guidance on incident handling. [SP 800-86] and [SP 800-101] provide guidance on integrating forensic techniques into incident response. [SP 800-161] provides guidance on supply chain risk management. |
link |
12 |
| NIST_SP_800-53_R4 |
IR-6(1) |
NIST_SP_800-53_R4_IR-6(1) |
NIST SP 800-53 Rev. 4 IR-6 (1) |
Incident Response |
Automated Reporting |
Shared |
n/a |
The organization employs automated mechanisms to assist in the reporting of security incidents.
Supplemental Guidance: Related control: IR-7. |
link |
1 |
| NIST_SP_800-53_R4 |
IR-7 |
NIST_SP_800-53_R4_IR-7 |
NIST SP 800-53 Rev. 4 IR-7 |
Incident Response |
Incident Response Assistance |
Shared |
n/a |
The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.
Supplemental Guidance: Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required. Related controls: AT-2, IR-4, IR-6, IR-8, SA-9. |
link |
1 |
| NIST_SP_800-53_R4 |
SI-4(2) |
NIST_SP_800-53_R4_SI-4(2) |
NIST SP 800-53 Rev. 4 SI-4 (2) |
System And Information Integrity |
Automated Tools For Real-Time Analysis |
Shared |
n/a |
The organization employs automated tools to support near real-time analysis of events.
Supplemental Guidance: Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems. |
link |
2 |
| NIST_SP_800-53_R5 |
IR-6(1) |
NIST_SP_800-53_R5_IR-6(1) |
NIST SP 800-53 Rev. 5 IR-6 (1) |
Incident Response |
Automated Reporting |
Shared |
n/a |
Report incidents using [Assignment: organization-defined automated mechanisms]. |
link |
1 |
| NIST_SP_800-53_R5 |
IR-7 |
NIST_SP_800-53_R5_IR-7 |
NIST SP 800-53 Rev. 5 IR-7 |
Incident Response |
Incident Response Assistance |
Shared |
n/a |
Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents. |
link |
1 |
| NIST_SP_800-53_R5 |
SI-4(2) |
NIST_SP_800-53_R5_SI-4(2) |
NIST SP 800-53 Rev. 5 SI-4 (2) |
System and Information Integrity |
Automated Tools and Mechanisms for Real-time Analysis |
Shared |
n/a |
Employ automated tools and mechanisms to support near real-time analysis of events. |
link |
2 |
|
op.exp.7 Incident management |
op.exp.7 Incident management |
404 not found |
|
|
|
n/a |
n/a |
|
103 |
|
op.exp.9 Incident management record |
op.exp.9 Incident management record |
404 not found |
|
|
|
n/a |
n/a |
|
30 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
| SWIFT_CSCF_v2022 |
11.1 |
SWIFT_CSCF_v2022_11.1 |
SWIFT CSCF v2022 11.1 |
11. Monitor in case of Major Disaster |
Ensure a consistent and effective approach for the event monitoring and escalation. |
Shared |
n/a |
Ensure a consistent and effective approach for the event monitoring and escalation. |
link |
5 |
| SWIFT_CSCF_v2022 |
11.2 |
SWIFT_CSCF_v2022_11.2 |
SWIFT CSCF v2022 11.2 |
11. Monitor in case of Major Disaster |
Ensure a consistent and effective approach for the management of incidents (Problem Management). |
Shared |
n/a |
Ensure a consistent and effective approach for the management of incidents (Problem Management). |
link |
20 |
| SWIFT_CSCF_v2022 |
11.4 |
SWIFT_CSCF_v2022_11.4 |
SWIFT CSCF v2022 11.4 |
11. Monitor in case of Major Disaster |
Ensure an adequate escalation of operational malfunctions in case of customer impact. |
Shared |
n/a |
Ensure an adequate escalation of operational malfunctions in case of customer impact. |
link |
14 |
| SWIFT_CSCF_v2022 |
11.5 |
SWIFT_CSCF_v2022_11.5 |
SWIFT CSCF v2022 11.5 |
11. Monitor in case of Major Disaster |
Effective support is offered to customers in case they face problems during their business hours. |
Shared |
n/a |
Effective support is offered to customers in case they face problems during their business hours. |
link |
10 |
| SWIFT_CSCF_v2022 |
6.5A |
SWIFT_CSCF_v2022_6.5A |
SWIFT CSCF v2022 6.5A |
6. Detect Anomalous Activity to Systems or Transaction Records |
Detect and contain anomalous network activity into and within the local or remote SWIFT environment. |
Shared |
n/a |
Intrusion detection is implemented to detect unauthorised network access and anomalous activity. |
link |
17 |