| Source | Azure Portal | ||||||||||||||||||||||
| Display name | Microsoft Managed Control 1503 - Information Security Architecture | ||||||||||||||||||||||
| Id | c1fa9c2f-d439-4ab9-8b83-81fb1934f81d | ||||||||||||||||||||||
| Version | 1.0.0 Details on versioning |
||||||||||||||||||||||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||||||||||||||||||||||
| Category | Regulatory Compliance Microsoft Learn |
||||||||||||||||||||||
| Description | Microsoft implements this Planning control | ||||||||||||||||||||||
| Additional metadata |
Name/Id: ACF1503 / Microsoft Managed Control 1503 Category: Planning Title: Information Security Architecture - Describes Philosophy, Requirements, And Approach to Confidentiality, Integrity, And Availability Ownership: Customer, Microsoft Description: The organization: Develops an information security architecture for the information system that: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; Describes how the information security architecture is integrated into and supports the enterprise architecture; and Describes any information security assumptions about, and dependencies on, external services; Requirements: Azure’s security architecture describes: * The overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of data relevant to and stored within Azure * The integration of Azure architecture into Azure’s Infrastructure architecture * Assumptions about and dependencies on external services Guidance for the development of the information system architecture for Azure is included in the Microsoft Security Program Policy (MSPP), MSP-08 Operations Security. Documented Operating Procedures, Service Architecture, and Threat Modeling Operating procedures for systems providing Microsoft’s services must also be formally documented, approved, and communicated and should contain, at a minimum, those processes that impact the confidentiality, integrity, or availability of a system and critical data. Service architecture must be documented and threat modeling is performed to identify security threats to the service and ensure adequate mitigations are in place. System operations staff must develop Security configuration baseline for systems and ensure that systems are implemented according to approved security configuration baseline. Anti-Malware Protection All Microsoft information systems must be protected from malicious software and hardware. Microsoft staff must be made aware of the potential dangers resulting from circumvention of network controls, such as downloading files from unknown or untrusted sources or providing inappropriate access. Security incidents that occur must be logged, verified, retained, secured, and appropriate corrective actions must be taken in response to these events. Security Logging, Monitoring, and Reporting System operations staff must implement monitoring technology and/or procedures to ensure timely detection and response to security incidents. Audit logs must be examined in a timely manner, and all identified anomalies must be investigated for possible misuse or compromise. Any log event which indicates a potential violation of Microsoft’s Security Policy must be brought to the attention of the respective organization’s appropriate service team. System operations staff ensure key systems must have appropriate logging enabled and securely transmit logs to a central collection point. Logs must be maintained for a specified period of time according to standards. Monitoring and reporting tools must be available and used to assess the security posture of Microsoft. Change Control and Acceptance An operational change control procedure must be in place for each operational service team within Microsoft. These procedures must include a process for organizational management review and approval. These change control procedures must be communicated to all parties (Microsoft and third parties) who perform system maintenance on or in any of Microsoft’s facilities. Acceptance criteria must be established by each security organization for new systems, upgrades to existing systems, and changes to processes to ensure services meet this security policy and any associated procedures and standards. Security Vulnerabilities and Penetration Testing To help prevent the risk of exposure to known security vulnerabilities, it is the responsibility of each Asset Owner to ensure their systems have the latest security related patches. Systems operations staff must proactively monitor the information systems assets for possible exposures. This monitoring must include scanning for known system vulnerabilities and penetration testing from outside as well as inside Microsoft’s environment. These activities must be scheduled and conducted in such a fashion as to minimize impact to the environment or organization. The frequency of scanning and penetration testing is determined by the sensitivity and criticality of the system. |
||||||||||||||||||||||
| Mode | Indexed | ||||||||||||||||||||||
| Type | Static | ||||||||||||||||||||||
| Preview | False | ||||||||||||||||||||||
| Deprecated | False | ||||||||||||||||||||||
| Effect | Fixed audit |
||||||||||||||||||||||
| RBAC role(s) | none | ||||||||||||||||||||||
| Rule aliases | none | ||||||||||||||||||||||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||||||||||||||||||||||
| Compliance |
The following 1 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1503 - Information Security Architecture' (c1fa9c2f-d439-4ab9-8b83-81fb1934f81d)
| ||||||||||||||||||||||
| Initiatives usage |
|
||||||||||||||||||||||
| History | none | ||||||||||||||||||||||
| JSON compare | n/a | ||||||||||||||||||||||
| JSON |
|