AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Implement a penetration testing methodology | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Implement a penetration testing methodology

c2eabc28-1e5c-78a2-a712-7cc176c44c07

Version

1.1.0
Details on versioning

Versioning

Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]

Category

Regulatory Compliance
Microsoft Learn

Description

CMA_0306 - Implement a penetration testing methodology

Additional metadata

Name/Id: CMA_0306 / CMA_0306
Category: Operational
Title: Implement a penetration testing methodology
Ownership: Customer
Description: Microsoft recommends that your organization implement a penetration testing methodology that includes: - Industry-accepted penetration testing approaches - Coverage for the entire perimeter and critical systems - Testing from both inside and outside the network - Testing to validate any segmentation and scope-reduction controls at least every six months and after any changes to segmentation controls/methods - Testing for the presence of unprotected system information and artifacts that can pose threats and be exploited by attackers (i.e., network diagrams, configuration files, and past penetration test reports) - Application-layer penetration tests - Network-layer penetration tests to include components that support network functions as well as operating systems - Attempts to bypass or circumvent controls associated with physical access points to the facility - Retention of penetration testing results and remediation activities results - Review and consideration of threats and vulnerabilities experienced in the last 12 months - Documentation of test results in machine-readable standards and a scoring standard for comparison of results over time - Monitoring of penetration testing accounts to ensure they are being used for legitimate purposes and are removed or restored to the normal function after testing is completed. Microsoft recommends that your organization run vulnerability scanning and penetration testing in parallel. It is also recommended that your organization employ an independent penetration agent or penetration team to perform penetration testing on the information system or system components. Payment Card Industry regulations require internal and external penetration testing of the cardholder data environment (CDE) at least annually and after any significant infrastructure or application upgrades or modifications. It is recommended that your organization ensure that the outcome of the penetration testing exercise is documented and escalated in a timely manner to senior management to identify and monitor the implementation of relevant remedial actions.
Requirements: The customer is responsible for implementing this recommendation.

Mode

All

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Manual
Allowed
Manual, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (1)
Microsoft.Resources/subscriptions

Compliance

The following 10 compliance controls are associated with this Policy definition 'Implement a penetration testing methodology' (c2eabc28-1e5c-78a2-a712-7cc176c44c07)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
FedRAMP_High_R4	PE-13(1)	FedRAMP_High_R4_PE-13(1)	FedRAMP High PE-13 (1)	Physical And Environmental Protection	Detection Devices / Systems	Shared	n/a	The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information.	link	3
hipaa	1814.08d1Organizational.12-08.d	hipaa-1814.08d1Organizational.12-08.d	1814.08d1Organizational.12-08.d	18 Physical & Environmental Security	1814.08d1Organizational.12-08.d 08.01 Secure Areas	Shared	n/a	Fire extinguishers and detectors are installed according to applicable laws and regulations.		3
hipaa	1815.08d2Organizational.123-08.d	hipaa-1815.08d2Organizational.123-08.d	1815.08d2Organizational.123-08.d	18 Physical & Environmental Security	1815.08d2Organizational.123-08.d 08.01 Secure Areas	Shared	n/a	Fire prevention and suppression mechanisms, including workforce training, are provided.		3
hipaa	1818.08d3Organizational.3-08.d	hipaa-1818.08d3Organizational.3-08.d	1818.08d3Organizational.3-08.d	18 Physical & Environmental Security	1818.08d3Organizational.3-08.d 08.01 Secure Areas	Shared	n/a	Fire suppression and detection systems are supported by an independent energy source.		3
hipaa	1862.08d1Organizational.3-08.d	hipaa-1862.08d1Organizational.3-08.d	1862.08d1Organizational.3-08.d	18 Physical & Environmental Security	1862.08d1Organizational.3-08.d 08.01 Secure Areas	Shared	n/a	Fire authorities are automatically notified when a fire alarm is activated.		2
hipaa	1862.08d3Organizational.3	hipaa-1862.08d3Organizational.3	1862.08d3Organizational.3	18 Physical & Environmental Security	1862.08d3Organizational.3 08.01 Secure Areas	Shared	n/a	Fire authorities are automatically notified when a fire alarm is activated.		2
NIST_SP_800-53_R4	PE-13(1)	NIST_SP_800-53_R4_PE-13(1)	NIST SP 800-53 Rev. 4 PE-13 (1)	Physical And Environmental Protection	Detection Devices / Systems	Shared	n/a	The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information.	link	3
NIST_SP_800-53_R5	PE-13(1)	NIST_SP_800-53_R5_PE-13(1)	NIST SP 800-53 Rev. 5 PE-13 (1)	Physical and Environmental Protection	Detection Systems ??? Automatic Activation and Notification	Shared	n/a	Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.	link	3
SOC_2	A1.2	SOC_2_A1.2	SOC 2 Type 2 A1.2	Additional Criteria For Availability	Environmental protections, software, data back-up processes, and recovery infrastructure	Shared	The customer is responsible for implementing this recommendation.	Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water. • Designs Detection Measures — Detection measures are implemented to identify anomalies that could result from environmental threat events. • Implements and Maintains Environmental Protection Mechanisms — Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. • Implements Alerts to Analyze Anomalies — Management implements alerts that are communicated to personnel for analysis to identify environmental threat events. • Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator backup subsystem). • Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary. • Determines Data Requiring Backup — Data is evaluated to determine whether backup is required. • Performs Data Backup — Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. • Addresses Offsite Storage — Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. • Implements Alternate Processing Infrastructure — Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable.		13
SWIFT_CSCF_v2022	9.3	SWIFT_CSCF_v2022_9.3	SWIFT CSCF v2022 9.3	9. Ensure Availability through Resilience	Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident.	Shared	n/a	Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident.	link	7

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
FedRAMP High	d5264498-16f4-418a-b659-fa7ef418175f	Regulatory Compliance	GA	BuiltIn
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 4	cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 5	179d1daa-458f-4e47-8086-2a68d0d6c38f	Regulatory Compliance	GA	BuiltIn
SOC 2 Type 2	4054785f-702b-4a98-9215-009cbd58b141	Regulatory Compliance	GA	BuiltIn
SWIFT CSP-CSCF v2022	7bc7cd6c-4114-ff31-3cac-59be3157596d	Regulatory Compliance	GA	BuiltIn

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-27 16:35:32	change	Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29	add	c2eabc28-1e5c-78a2-a712-7cc176c44c07

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC