last sync: 2024-Nov-25 18:54:24 UTC

App Service apps should only be accessible over HTTPS

Azure BuiltIn Policy definition

Source Azure Portal
Display name App Service apps should only be accessible over HTTPS
Id a4af4a39-4135-47fb-b175-47fbdf85311d
Version 4.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
4.0.0
Built-in Versioning [Preview]
Category App Service
Microsoft Learn
Description Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Disabled, Deny
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Web/sites/httpsOnly Microsoft.Web sites properties.httpsOnly True True
Rule resource types IF (1)
Microsoft.Web/sites
Compliance
The following 59 compliance controls are associated with this Policy definition 'App Service apps should only be accessible over HTTPS' (a4af4a39-4135-47fb-b175-47fbdf85311d)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
AU_ISM 1552 AU_ISM_1552 AU ISM 1552 Guidelines for Software Development - Web application development Web application interactions - 1552 n/a All web application content is offered exclusively using HTTPS. link 3
Azure_Security_Benchmark_v1.0 4.4 Azure_Security_Benchmark_v1.0_4.4 Azure Security Benchmark 4.4 Data Protection Encrypt all sensitive information in transit Shared Encrypt all sensitive information in transit. Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater. Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable. Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit n/a link 10
Azure_Security_Benchmark_v2.0 DP-4 Azure_Security_Benchmark_v2.0_DP-4 Azure Security Benchmark DP-4 Data Protection Encrypt sensitive information in transit Shared To complement access controls, data in transit should be protected against ‘out of band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled. By default, Azure provides encryption for data in transit between Azure data centers. Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit n/a link 12
Azure_Security_Benchmark_v3.0 DP-3 Azure_Security_Benchmark_v3.0_DP-3 Microsoft cloud security benchmark DP-3 Data Protection Encrypt sensitive data in transit Shared **Security Principle:** Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. **Azure Guidance:** Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default. **Implementation and additional context:** Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Enforce secure transfer in Azure storage: https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account n/a link 15
CCCS SC-8(1) CCCS_SC-8(1) CCCS SC-8(1) System and Communications Protection Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection n/a The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by physical security safeguards applied in applied in accordance with, or uses an adequate risk-based approach aligned with the practices specified in TBS and RCMP physical security standards and any related provisions of the Industrial Security Program. The cryptography must be compliant with the requirements of control SC-13. link 5
CIS_Azure_1.1.0 9.2 CIS_Azure_1.1.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 AppService Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. link 4
CIS_Azure_1.3.0 9.2 CIS_Azure_1.3.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 AppService Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. link 4
CIS_Azure_1.4.0 9.2 CIS_Azure_1.4.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 AppService Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service Shared The customer is responsible for implementing this recommendation. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. link 4
CIS_Azure_2.0.0 9.2 CIS_Azure_2.0.0_9.2 CIS Microsoft Azure Foundations Benchmark recommendation 9.2 9 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service Shared When it is enabled, every incoming HTTP request is redirected to the HTTPS port. This means an extra level of security will be added to the HTTP requests made to the app. Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. Enabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection which is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits. link 4
CMMC_2.0_L2 SC.L2-3.13.8 CMMC_2.0_L2_SC.L2-3.13.8 404 not found n/a n/a 16
CMMC_L3 AC.1.002 CMMC_L3_AC.1.002 CMMC L3 AC.1.002 Access Control Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). link 27
CMMC_L3 IA.3.084 CMMC_L3_IA.3.084 CMMC L3 IA.3.084 Identification and Authentication Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts. Shared Microsoft and the customer share responsibilities for implementing this requirement. Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. link 8
CMMC_L3 SC.1.175 CMMC_L3_SC.1.175 CMMC L3 SC.1.175 System and Communications Protection Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. link 30
CMMC_L3 SC.3.185 CMMC_L3_SC.3.185 CMMC L3 SC.3.185 System and Communications Protection Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. link 10
CMMC_L3 SC.3.190 CMMC_L3_SC.3.190 CMMC L3 SC.3.190 System and Communications Protection Protect the authenticity of communications sessions. Shared Microsoft and the customer share responsibilities for implementing this requirement. Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. link 11
FedRAMP_High_R4 SC-8 FedRAMP_High_R4_SC-8 FedRAMP High SC-8 System And Communications Protection Transmission Confidentiality And Integrity Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. link 15
FedRAMP_High_R4 SC-8(1) FedRAMP_High_R4_SC-8(1) FedRAMP High SC-8 (1) System And Communications Protection Cryptographic Or Alternate Physical Protection Shared n/a The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. link 14
FedRAMP_Moderate_R4 SC-8 FedRAMP_Moderate_R4_SC-8 FedRAMP Moderate SC-8 System And Communications Protection Transmission Confidentiality And Integrity Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. link 15
FedRAMP_Moderate_R4 SC-8(1) FedRAMP_Moderate_R4_SC-8(1) FedRAMP Moderate SC-8 (1) System And Communications Protection Cryptographic Or Alternate Physical Protection Shared n/a The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. link 14
hipaa 0809.01n2Organizational.1234-01.n hipaa-0809.01n2Organizational.1234-01.n 0809.01n2Organizational.1234-01.n 08 Network Protection 0809.01n2Organizational.1234-01.n 01.04 Network Access Control Shared n/a Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. 17
hipaa 0810.01n2Organizational.5-01.n hipaa-0810.01n2Organizational.5-01.n 0810.01n2Organizational.5-01.n 08 Network Protection 0810.01n2Organizational.5-01.n 01.04 Network Access Control Shared n/a Transmitted information is secured and, at a minimum, encrypted over open, public networks. 16
hipaa 0811.01n2Organizational.6-01.n hipaa-0811.01n2Organizational.6-01.n 0811.01n2Organizational.6-01.n 08 Network Protection 0811.01n2Organizational.6-01.n 01.04 Network Access Control Shared n/a Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. 23
hipaa 0812.01n2Organizational.8-01.n hipaa-0812.01n2Organizational.8-01.n 0812.01n2Organizational.8-01.n 08 Network Protection 0812.01n2Organizational.8-01.n 01.04 Network Access Control Shared n/a Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. 12
hipaa 0814.01n1Organizational.12-01.n hipaa-0814.01n1Organizational.12-01.n 0814.01n1Organizational.12-01.n 08 Network Protection 0814.01n1Organizational.12-01.n 01.04 Network Access Control Shared n/a The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of its business applications. 11
hipaa 0949.09y2Organizational.5-09.y hipaa-0949.09y2Organizational.5-09.y 0949.09y2Organizational.5-09.y 09 Transmission Protection 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services Shared n/a The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. 6
hipaa 1403.05i1Organizational.67-05.i hipaa-1403.05i1Organizational.67-05.i 1403.05i1Organizational.67 - 05.i Identification of Risks Related to External Parties Access granted to external parties is limited to the minimum necessary and granted only for the duration required. Customer n/a Master Supplier Service Agreement (MSSA))
Supplier Data Protection Requirements (DPR)
Supplier Code of Conduct (SCoC)
1
IRS_1075_9.3 .16.6 IRS_1075_9.3.16.6 IRS 1075 9.3.16.6 System and Communications Protection Transmission Confidentiality and Integrity (SC-8) n/a Information systems that receive, process, store, or transmit FTI, must: a. Protect the confidentiality and integrity of transmitted information b. Implement FIPS 140-2 cryptographic mechanisms to prevent unauthorized disclosure of FTI and detect changes to information during transmission across the wide area network (WAN) and within the local area network (LAN) (CE1) The agency must ensure that all network infrastructure, access points, wiring, conduits, and cabling are within the control of authorized agency personnel. Network monitoring capabilities must be implemented to detect and monitor for suspicious network traffic. For physical security protections of transmission medium, see Section 9.3.11.4, Access Control for Transmission Medium (PE-4). This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, fax machines). link 8
ISO27001-2013 A.10.1.1 ISO27001-2013_A.10.1.1 ISO 27001:2013 A.10.1.1 Cryptography Policy on the use of cryptographic controls Shared n/a A policy on the use of cryptographic controls for protection of information shall be developed and implemented. link 17
New_Zealand_ISM 14.5.8.C.01 New_Zealand_ISM_14.5.8.C.01 New_Zealand_ISM_14.5.8.C.01 14. Software security 14.5.8.C.01 Web applications n/a Agencies SHOULD follow the documentation provided in the Open Web Application Security Project guide to building secure Web applications and Web services. 18
NIST_SP_800-171_R2_3 .13.8 NIST_SP_800-171_R2_3.13.8 NIST SP 800-171 R2 3.13.8 System and Communications Protection Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO]. link 16
NIST_SP_800-53_R4 SC-8 NIST_SP_800-53_R4_SC-8 NIST SP 800-53 Rev. 4 SC-8 System And Communications Protection Transmission Confidentiality And Integrity Shared n/a The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003. link 15
NIST_SP_800-53_R4 SC-8(1) NIST_SP_800-53_R4_SC-8(1) NIST SP 800-53 Rev. 4 SC-8 (1) System And Communications Protection Cryptographic Or Alternate Physical Protection Shared n/a The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. link 14
NIST_SP_800-53_R5 SC-8 NIST_SP_800-53_R5_SC-8 NIST SP 800-53 Rev. 5 SC-8 System and Communications Protection Transmission Confidentiality and Integrity Shared n/a Protect the [Selection (OneOrMore): confidentiality;integrity] of transmitted information. link 15
NIST_SP_800-53_R5 SC-8(1) NIST_SP_800-53_R5_SC-8(1) NIST SP 800-53 Rev. 5 SC-8 (1) System and Communications Protection Cryptographic Protection Shared n/a Implement cryptographic mechanisms to [Selection (OneOrMore): prevent unauthorized disclosure of information;detect changes to information] during transmission. link 14
NL_BIO_Cloud_Theme U.05.1(2) NL_BIO_Cloud_Theme_U.05.1(2) NL_BIO_Cloud_Theme_U.05.1(2) U.05 Data protection Cryptographic measures n/a Data transport is secured with cryptography to the latest state of the art (in accordance with the Forum for Standardization), whereby the key management is carried out by the CSC itself if possible. 17
NL_BIO_Cloud_Theme U.11.1(2) NL_BIO_Cloud_Theme_U.11.1(2) NL_BIO_Cloud_Theme_U.11.1(2) U.11 Cryptoservices Policy n/a The cryptography policy includes at least the following topics: when cryptography is used; who is responsible for the implementation of cryptology; who is responsible for key management; which standards serve as a basis for cryptography and the way in which the standards of the Standardisation Forum are applied; the way in which the level of protection is determined; in the case of communication between organizations, the policy is determined among themselves. 18
NL_BIO_Cloud_Theme U.11.2(2) NL_BIO_Cloud_Theme_U.11.2(2) NL_BIO_Cloud_Theme_U.11.2(2) U.11 Cryptoservices Cryptographic measures n/a In the case of PKIoverheid certificates: apply the PKIoverheid requirements with regard to key management. In other situations: use the ISO 11770 standard for managing cryptographic keys. 18
NZ_ISM_v3.5 SS-9 NZ_ISM_v3.5_SS-9 NZISM Security Benchmark SS-9 Software security 14.5.8 Web applications Customer n/a The Open Web Application Security Project guide provides a comprehensive resource to consult when developing Web applications. link 12
NZISM_Security_Benchmark_v1.1 SS-9 NZISM_Security_Benchmark_v1.1_SS-9 NZISM Security Benchmark SS-9 Software security 14.5.8 Web applications Customer Agencies SHOULD follow the documentation provided in the Open Web Application Security Project guide to building secure Web applications and Web services. The Open Web Application Security Project guide provides a comprehensive resource to consult when developing Web applications. link 4
PCI_DSS_V3.2.1 3.4 PCI_DSS_v3.2.1_3.4 PCI DSS v3.2.1 3.4 Requirement 3 PCI DSS requirement 3.4 customer n/a n/a link 7
PCI_DSS_V3.2.1 4.1 PCI_DSS_v3.2.1_4.1 PCI DSS v3.2.1 4.1 Requirement 4 PCI DSS requirement 4.1 customer n/a n/a link 7
PCI_DSS_V3.2.1 6.5.3 PCI_DSS_v3.2.1_6.5.3 PCI DSS v3.2.1 6.5.3 Requirement 6 PCI DSS requirement 6.5.3 shared n/a n/a link 7
PCI_DSS_v4.0 3.5.1 PCI_DSS_v4.0_3.5.1 PCI DSS v4.0 3.5.1 Requirement 03: Protect Stored Account Data Primary account number (PAN) is secured wherever it is stored Shared n/a PAN is rendered unreadable anywhere it is stored by using any of the following approaches: • One-way hashes based on strong cryptography of the entire PAN. • Truncation (hashing cannot be used to replace the truncated segment of PAN). – If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN. • Index tokens. • Strong cryptography with associated keymanagement processes and procedures. link 11
PCI_DSS_v4.0 6.2.4 PCI_DSS_v4.0_6.2.4 PCI DSS v4.0 6.2.4 Requirement 06: Develop and Maintain Secure Systems and Software Bespoke and custom software are developed securely Shared n/a Software engineering techniques or other methods are defined and in use for bespoke and custom software by software development personnel to prevent or mitigate common software attacks and related vulnerabilities, including but not limited to the following: • Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws. • Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data. • Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation. • Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, clientside functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF). • Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms. • Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1. link 7
RBI_CSF_Banks_v2016 10.1 RBI_CSF_Banks_v2016_10.1 Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.1 n/a Implement secure mail and messaging systems, including those used by bank???s partners & vendors, that include measures to prevent email spoofing, identical mail domains, protection of attachments, malicious links etc 15
RBI_CSF_Banks_v2016 10.2 RBI_CSF_Banks_v2016_10.2 Secure Mail And Messaging Systems Secure Mail And Messaging Systems-10.2 n/a Document and implement emailserver specific controls 15
RBI_CSF_Banks_v2016 13.4 RBI_CSF_Banks_v2016_13.4 Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.4 n/a Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway 41
RBI_ITF_NBFC_v2017 3.1.h RBI_ITF_NBFC_v2017_3.1.h RBI IT Framework 3.1.h Information and Cyber Security Public Key Infrastructure (PKI)-3.1 n/a The IS Policy must provide for a IS framework with the following basic tenets: Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. link 31
RMiT_v1.0 Appendix_5.3 RMiT_v1.0_Appendix_5.3 RMiT Appendix 5.3 Control Measures on Cybersecurity Control Measures on Cybersecurity - Appendix 5.3 Customer n/a Update security standards and protocols for web services encryption regularly. Disable support of weak ciphers and protocol in web-facing applications. link 7
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 78
SOC_2 CC6.6 SOC_2_CC6.6 SOC 2 Type 2 CC6.6 Logical and Physical Access Controls Security measures against threats outside system boundaries Shared The customer is responsible for implementing this recommendation. • Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. • Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries. • Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries. • Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts 40
SOC_2 CC6.7 SOC_2_CC6.7 SOC 2 Type 2 CC6.7 Logical and Physical Access Controls Restrict the movement of information to authorized users Shared The customer is responsible for implementing this recommendation. • Restricts the Ability to Perform Transmission — Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement, and removal of information. • Uses Encryption Technologies or Secure Communication Channels to Protect Data — Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. • Protects Removal Media — Encryption technologies and physical asset protections are used for removable media (such as USB drives and backup tapes), as appropriate. • Protects Mobile Devices — Processes are in place to protect mobile devices (such as laptops, smart phones, and tablets) that serve as information assets 29
SWIFT_CSCF_v2021 2.1 SWIFT_CSCF_v2021_2.1 SWIFT CSCF v2021 2.1 Reduce Attack Surface and Vulnerabilities Internal Data Flow Security n/a Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related applications. link 14
SWIFT_CSCF_v2021 2.4A SWIFT_CSCF_v2021_2.4A SWIFT CSCF v2021 2.4A Reduce Attack Surface and Vulnerabilities Back-office Data Flow Security n/a Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back office first hops they connect to. link 7
SWIFT_CSCF_v2021 2.5A SWIFT_CSCF_v2021_2.5A SWIFT CSCF v2021 2.5A Reduce Attack Surface and Vulnerabilities External Transmission Data Protection n/a Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. link 11
U.05.1 - Cryptographic measures U.05.1 - Cryptographic measures 404 not found n/a n/a 17
U.11.1 - Policy U.11.1 - Policy 404 not found n/a n/a 18
U.11.2 - Cryptographic measures U.11.2 - Cryptographic measures 404 not found n/a n/a 18
UK_NCSC_CSP 1 UK_NCSC_CSP_1 UK NCSC CSP 1 Data in transit protection Data in transit protection Shared n/a User data transiting networks should be adequately protected against tampering and eavesdropping. link 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
[Deprecated]: DoD Impact Level 4 8d792a84-723c-4d92-a3c3-e4ed16a2d133 Regulatory Compliance Deprecated BuiltIn
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn
[Preview]: Australian Government ISM PROTECTED 27272c0b-c225-4cc3-b8b0-f2534b093077 Regulatory Compliance Preview BuiltIn
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn
[Preview]: Control the use of App Service in a Virtual Enclave 528d78c5-246c-4f26-ade6-d30798705411 VirtualEnclaves Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn
[Preview]: Reserve Bank of India - IT Framework for NBFC 7f89f09c-48c1-f28d-1bd5-84f3fb22f86c Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2020 3e0c67fc-8c7c-406c-89bd-6b6bdc986a22 Regulatory Compliance Preview BuiltIn
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn
Canada Federal PBMM 4c4a5f27-de81-430b-b4e5-9cbd50595a87 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance GA BuiltIn
Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit Enforce-EncryptTransit_20240509 Encryption GA ALZ
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
IRS1075 September 2016 105e0327-6175-4eb2-9af4-1fba43bdb39d Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
PCI v3.2.1:2018 496eeda9-8f2f-4d5e-8dfd-204f0a92ed41 Regulatory Compliance GA BuiltIn
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
UK OFFICIAL and UK NHS 3937f550-eedd-4639-9c5e-294358be442e Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-10-07 16:34:28 change Major (3.0.0 > 4.0.0)
2022-08-26 16:33:38 change Major (2.0.0 > 3.0.0)
2022-06-07 16:30:19 change Major (1.0.0 > 2.0.0)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC