| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1210 - Configuration Settings | ||
| Id | 3502c968-c490-4570-8167-1476f955e9b8 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Configuration Management control | ||
| Additional metadata |
Name/Id: ACF1210 / Microsoft Managed Control 1210 Category: Configuration Management Title: Configuration Settings - Deviations from Established Settings Ownership: Customer, Microsoft Description: The organization: Identifies, documents, and approves any deviations from established configuration settings for All components based on Approved operational requirements; and Requirements: Servers There are currently no exceptions to the mandatory configuration settings in Azure, as all Azure components are running one of the approved builds. In the case of an exception, the exception is documented through the One Compliance System (1CS) exception process. If there is a need to deviate from the standard configuration settings, the Azure System Owner is required to approve the documented operational necessity for this deviation. All configuration changes are limited to the specific service team members responsible for the component and are captured as part of the workflow for the change management process defined in the Azure change process. Network Devices Exceptions may be discovered that requires temporary deviation from the mandatory configuration settings to avoid impacting production services while the issue is resolved. In these situations, Azure Networking takes the following actions: * The issue is triaged and discussed by Azure Networking Operations, and Azure Networking Engineering (including Azure Networking management) and a course of action is agreed upon and approved by this group. * The issue is discussed in the daily Azure Networking Operations meeting for general awareness. * The relevant policy in Config Policy Verifier (CPV) is temporarily altered. * The issue is fixed. As an example, this might involve deploying a new code revision to the affected devices. * The relevant policy in CPV is restored, and the configuration testing against the baseline resumes as usual. ACL Configuration Changes Security reviews are used by Azure and business groups to assess the security risks associated with non-standard operational implementations. Changes not expressly allowed by the Firewall and Tiered ACL guidelines (e.g. when an Azure team requests a non-standard change to configuration settings) are not allowed to be made to the Azure system’s current configuration without a completed review. Alternative to a quarterly review cycle, Azure performs these reviews real-time, prior to the implementation of the non-standard change (Configuration changes that are not automatically approved within the Firewall and Tiered ACL Guidelines). To request a review, the requesting Azure team must populate a questionnaire, providing descriptions of the request, requirements, and justification for the change. Depending on the asset classification of data, descriptions may include data types, current compliance with data handling, and any risk assessment or threat analysis the Azure team has conducted in coordination with Privacy, CELA, or C+AI Security. The Azure team must also provide documentation to help the team that reviews (C+AI Security Solutions) assess operational risks (e.g. architecture and network diagrams, infrastructure threat models, etc.). |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|