compliance controls are associated with this Policy definition 'Virtual machines should be connected to an approved virtual network' (d416745a-506c-48b6-8ab1-83cb814bcaa3)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v1.0 |
1.1 |
Azure_Security_Benchmark_v1.0_1.1 |
Azure Security Benchmark 1.1 |
Network Security |
Protect resources using Network Security Groups or Azure Firewall on your Virtual Network |
Customer |
Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. Use Azure Services with Private Link enabled, deploy the service inside your Vnet, or connect privately using Private Endpoints. For service specific requirements, please refer to the security recommendation for that specific service.
Alternatively, if you have a specific use case, requirements can be met by implementing Azure Firewall.
General Information on Private Link:
https://docs.microsoft.com/azure/private-link/private-link-overview
How to create a Virtual Network:
https://docs.microsoft.com/azure/virtual-network/quick-create-portal
How to create an NSG with a security configuration:
https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic
How to deploy and configure Azure Firewall:
https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal |
n/a |
link |
20 |
| hipaa |
0805.01m1Organizational.12-01.m |
hipaa-0805.01m1Organizational.12-01.m |
0805.01m1Organizational.12-01.m |
08 Network Protection |
0805.01m1Organizational.12-01.m 01.04 Network Access Control |
Shared |
n/a |
The organization's security gateways (e.g., firewalls) (i) enforce security policies; (ii) are configured to filter traffic between domains; (iii) block unauthorized access; (iv) are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet), including DMZs; and, (vi) enforce access control policies for each of the domains. |
|
12 |
| hipaa |
0806.01m2Organizational.12356-01.m |
hipaa-0806.01m2Organizational.12356-01.m |
0806.01m2Organizational.12356-01.m |
08 Network Protection |
0806.01m2Organizational.12356-01.m 01.04 Network Access Control |
Shared |
n/a |
The organization’s network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. |
|
13 |
| hipaa |
0809.01n2Organizational.1234-01.n |
hipaa-0809.01n2Organizational.1234-01.n |
0809.01n2Organizational.1234-01.n |
08 Network Protection |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control |
Shared |
n/a |
Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. |
|
17 |
| hipaa |
0810.01n2Organizational.5-01.n |
hipaa-0810.01n2Organizational.5-01.n |
0810.01n2Organizational.5-01.n |
08 Network Protection |
0810.01n2Organizational.5-01.n 01.04 Network Access Control |
Shared |
n/a |
Transmitted information is secured and, at a minimum, encrypted over open, public networks. |
|
16 |
| hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
23 |
| hipaa |
0812.01n2Organizational.8-01.n |
hipaa-0812.01n2Organizational.8-01.n |
0812.01n2Organizational.8-01.n |
08 Network Protection |
0812.01n2Organizational.8-01.n 01.04 Network Access Control |
Shared |
n/a |
Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. |
|
12 |
| hipaa |
0814.01n1Organizational.12-01.n |
hipaa-0814.01n1Organizational.12-01.n |
0814.01n1Organizational.12-01.n |
08 Network Protection |
0814.01n1Organizational.12-01.n 01.04 Network Access Control |
Shared |
n/a |
The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of its business applications. |
|
11 |
| hipaa |
0894.01m2Organizational.7-01.m |
hipaa-0894.01m2Organizational.7-01.m |
0894.01m2Organizational.7-01.m |
08 Network Protection |
0894.01m2Organizational.7-01.m 01.04 Network Access Control |
Shared |
n/a |
Networks are segregated from production-level networks when migrating physical servers, applications, or data to virtualized servers. |
|
19 |
| RMiT_v1.0 |
10.33 |
RMiT_v1.0_10.33 |
RMiT 10.33 |
Network Resilience |
Network Resilience - 10.33 |
Shared |
n/a |
A financial institution must design a reliable, scalable and secure enterprise network that is able to support its business activities, including future growth plans. |
link |
27 |