compliance controls are associated with this Policy definition 'Establish firewall and router configuration standards' (398fdbd8-56fd-274d-35c6-fa2d3b2755a1)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
CIS_Azure_1.1.0 |
3.8 |
CIS_Azure_1.1.0_3.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.8 |
3 Storage Accounts |
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access |
Shared |
The customer is responsible for implementing this recommendation. |
Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. |
link |
6 |
CIS_Azure_1.3.0 |
3.7 |
CIS_Azure_1.3.0_3.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.7 |
3 Storage Accounts |
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access |
Shared |
The customer is responsible for implementing this recommendation. |
Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. |
link |
6 |
CIS_Azure_1.3.0 |
4.3.8 |
CIS_Azure_1.3.0_4.3.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.8 |
4 Database Services |
Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled |
Shared |
The customer is responsible for implementing this recommendation. |
Disable access from Azure services to PostgreSQL Database Server |
link |
5 |
CIS_Azure_1.4.0 |
3.7 |
CIS_Azure_1.4.0_3.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.7 |
3 Storage Accounts |
Ensure 'Trusted Microsoft Services' are Enabled for Storage Account Access |
Shared |
The customer is responsible for implementing this recommendation. |
Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. |
link |
6 |
CIS_Azure_1.4.0 |
4.3.7 |
CIS_Azure_1.4.0_4.3.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 |
4 Database Services |
Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled |
Shared |
The customer is responsible for implementing this recommendation. |
Disable access from Azure services to PostgreSQL Database Server |
link |
5 |
CIS_Azure_2.0.0 |
3.9 |
CIS_Azure_2.0.0_3.9 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.9 |
3 |
Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access |
Shared |
This creates authentication credentials for services that need access to storage resources so that services will no longer need to communicate via network request. There may be a temporary loss of communication as you set each Storage Account. It is recommended to not do this on mission-critical resources during business hours. |
Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription).
Turning on firewall rules for storage account will block access to incoming requests for data, including from other Azure services. We can re-enable this functionality by enabling `"Trusted Azure Services"` through networking exceptions. |
link |
6 |
CIS_Azure_2.0.0 |
4.3.7 |
CIS_Azure_2.0.0_4.3.7 |
CIS Microsoft Azure Foundations Benchmark recommendation 4.3.7 |
4.3 |
Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled |
Shared |
n/a |
Disable access from Azure services to PostgreSQL Database Server.
If access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks. |
link |
7 |
FedRAMP_High_R4 |
AC-4(21) |
FedRAMP_High_R4_AC-4(21) |
FedRAMP High AC-4 (21) |
Access Control |
Physical / Logical Separation Of Information Flows |
Shared |
n/a |
The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization- defined required separations by types of information].
Supplemental Guidance: Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. |
link |
4 |
FedRAMP_Moderate_R4 |
AC-4(21) |
FedRAMP_Moderate_R4_AC-4(21) |
FedRAMP Moderate AC-4 (21) |
Access Control |
Physical / Logical Separation Of Information Flows |
Shared |
n/a |
The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization- defined required separations by types of information].
Supplemental Guidance: Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. |
link |
4 |
hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
23 |
hipaa |
0817.01w2System.123-01.w |
hipaa-0817.01w2System.123-01.w |
0817.01w2System.123-01.w |
08 Network Protection |
0817.01w2System.123-01.w 01.06 Application and Information Access Control |
Shared |
n/a |
Unless the risk is identified and accepted by the data owner, sensitive systems are isolated (physically or logically) from non-sensitive applications/systems. |
|
13 |
hipaa |
0859.09m1Organizational.78-09.m |
hipaa-0859.09m1Organizational.78-09.m |
0859.09m1Organizational.78-09.m |
08 Network Protection |
0859.09m1Organizational.78-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. |
|
13 |
hipaa |
0928.09v1Organizational.45-09.v |
hipaa-0928.09v1Organizational.45-09.v |
0928.09v1Organizational.45-09.v |
09 Transmission Protection |
0928.09v1Organizational.45-09.v 09.08 Exchange of Information |
Shared |
n/a |
Stronger controls are implemented to protect certain electronic messages, and electronic messages are protected throughout the duration of its end-to-end transport path, using cryptographic mechanisms unless protected by alternative measures. |
|
9 |
hipaa |
0929.09v1Organizational.6-09.v |
hipaa-0929.09v1Organizational.6-09.v |
0929.09v1Organizational.6-09.v |
09 Transmission Protection |
0929.09v1Organizational.6-09.v 09.08 Exchange of Information |
Shared |
n/a |
The organization never sends unencrypted sensitive information by end-user messaging technologies (e.g., email, instant messaging, and chat). |
|
9 |
hipaa |
0944.09y1Organizational.2-09.y |
hipaa-0944.09y1Organizational.2-09.y |
0944.09y1Organizational.2-09.y |
09 Transmission Protection |
0944.09y1Organizational.2-09.y 09.09 Electronic Commerce Services |
Shared |
n/a |
Security is maintained through all aspects of the transaction. |
|
8 |
hipaa |
1131.01v2System.2-01.v |
hipaa-1131.01v2System.2-01.v |
1131.01v2System.2-01.v |
11 Access Control |
1131.01v2System.2-01.v 01.06 Application and Information Access Control |
Shared |
n/a |
Outputs from application systems handling covered information are limited to the minimum necessary and sent only to authorized terminals/locations. |
|
6 |
hipaa |
1150.01c2System.10-01.c |
hipaa-1150.01c2System.10-01.c |
1150.01c2System.10-01.c |
11 Access Control |
1150.01c2System.10-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The access control system for the system components storing, processing or transmitting covered information is set with a default "deny-all" setting. |
|
7 |
ISO27001-2013 |
A.13.1.1 |
ISO27001-2013_A.13.1.1 |
ISO 27001:2013 A.13.1.1 |
Communications Security |
Network controls |
Shared |
n/a |
Networks shall be managed and controlled to protect information in systems and applications. |
link |
40 |
ISO27001-2013 |
A.13.1.2 |
ISO27001-2013_A.13.1.2 |
ISO 27001:2013 A.13.1.2 |
Communications Security |
Security of network services |
Shared |
n/a |
Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. |
link |
16 |
ISO27001-2013 |
A.13.1.3 |
ISO27001-2013_A.13.1.3 |
ISO 27001:2013 A.13.1.3 |
Communications Security |
Segregation of networks |
Shared |
n/a |
Groups of information services, users, and information systems shall be segregated on networks. |
link |
17 |
ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
ISO27001-2013 |
A.13.2.3 |
ISO27001-2013_A.13.2.3 |
ISO 27001:2013 A.13.2.3 |
Communications Security |
Electronic messaging |
Shared |
n/a |
Information involved in electronic messaging shall be appropriately protected. |
link |
10 |
ISO27001-2013 |
A.14.1.2 |
ISO27001-2013_A.14.1.2 |
ISO 27001:2013 A.14.1.2 |
System Acquisition, Development And Maintenance |
Securing application services on public networks |
Shared |
n/a |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
link |
32 |
ISO27001-2013 |
A.14.1.3 |
ISO27001-2013_A.14.1.3 |
ISO 27001:2013 A.14.1.3 |
System Acquisition, Development And Maintenance |
Protecting application services transactions |
Shared |
n/a |
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
link |
29 |
ISO27001-2013 |
A.8.2.3 |
ISO27001-2013_A.8.2.3 |
ISO 27001:2013 A.8.2.3 |
Asset Management |
Handling of assets |
Shared |
n/a |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
link |
26 |
|
mp.com.1 Secure perimeter |
mp.com.1 Secure perimeter |
404 not found |
|
|
|
n/a |
n/a |
|
49 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.com.4 Separation of information flows on the network |
mp.com.4 Separation of information flows on the network |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.info.2 Rating of information |
mp.info.2 Rating of information |
404 not found |
|
|
|
n/a |
n/a |
|
45 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.info.4 Time stamps |
mp.info.4 Time stamps |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
NIST_SP_800-171_R2_3 |
.1.3 |
NIST_SP_800-171_R2_3.1.3 |
NIST SP 800-171 R2 3.1.3 |
Access Control |
Control the flow of CUI in accordance with approved authorizations. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels. |
link |
56 |
NIST_SP_800-53_R4 |
AC-4(21) |
NIST_SP_800-53_R4_AC-4(21) |
NIST SP 800-53 Rev. 4 AC-4 (21) |
Access Control |
Physical / Logical Separation Of Information Flows |
Shared |
n/a |
The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization- defined required separations by types of information].
Supplemental Guidance: Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. |
link |
4 |
NIST_SP_800-53_R5 |
AC-4(21) |
NIST_SP_800-53_R5_AC-4(21) |
NIST SP 800-53 Rev. 5 AC-4 (21) |
Access Control |
Physical or Logical Separation of Information Flows |
Shared |
n/a |
Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. |
link |
4 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.2 Security configuration |
op.exp.2 Security configuration |
404 not found |
|
|
|
n/a |
n/a |
|
112 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.mon.1 Intrusion detection |
op.mon.1 Intrusion detection |
404 not found |
|
|
|
n/a |
n/a |
|
50 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
78 |
SOC_2 |
CC6.6 |
SOC_2_CC6.6 |
SOC 2 Type 2 CC6.6 |
Logical and Physical Access Controls |
Security measures against threats outside system boundaries |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts Access — The types of activities that can occur through a communication
channel (for example, FTP site, router port) are restricted.
• Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries.
• Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its
boundaries.
• Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and
are monitored to detect such attempts |
|
40 |
SOC_2 |
CC6.7 |
SOC_2_CC6.7 |
SOC 2 Type 2 CC6.7 |
Logical and Physical Access Controls |
Restrict the movement of information to authorized users |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts the Ability to Perform Transmission — Data loss prevention processes and
technologies are used to restrict ability to authorize and execute transmission,
movement, and removal of information.
• Uses Encryption Technologies or Secure Communication Channels to Protect Data
— Encryption technologies or secured communication channels are used to protect
transmission of data and other communications beyond connectivity access points.
• Protects Removal Media — Encryption technologies and physical asset protections
are used for removable media (such as USB drives and backup tapes), as appropriate.
• Protects Mobile Devices — Processes are in place to protect mobile devices (such
as laptops, smart phones, and tablets) that serve as information assets |
|
29 |
SWIFT_CSCF_v2022 |
1.5A |
SWIFT_CSCF_v2022_1.5A |
SWIFT CSCF v2022 1.5A |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
Shared |
n/a |
A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. |
link |
24 |