last sync: 2024-Nov-25 18:54:24 UTC

Microsoft Managed Control 1585 - Security Engineering Principles | Regulatory Compliance - System and Services Acquisition

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1585 - Security Engineering Principles
Id d57f8732-5cdc-4cda-8d27-ab148e1f3a55
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Services Acquisition control
Additional metadata Name/Id: ACF1585 / Microsoft Managed Control 1585
Category: System and Services Acquisition
Title: Security Engineering Principles
Ownership: Customer, Microsoft
Description: The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.
Requirements: Azure has a mature Security Development Lifecycle (SDL) process that is followed for all engineering and development projects. The Microsoft SDL process includes the following phases which implement standard security engineering principles across all of Microsoft’s online services’ systems: * Phase 1: Requirements - The Requirements phase of the SDL includes the project inception—when the organization considers security and privacy at a foundational level—and a cost analysis—when determining if development and support costs for improving security and privacy are consistent with business needs. This phase also includes defining security roles and responsibilities and identifying individuals with these roles and responsibilities. * Phase 2: Design - The Design phase is when the organization builds the plan for how to take the project through the rest of the SDL process—from implementation, to verification, to release. During the Design phase the organization establishes best practices to follow for this phase by way of functional and design specifications, and by performing risk analysis to identify threats and vulnerabilities in the software. TMA (Threat Model Analysis) is required to define all attack surfaces and their associated risks; all security gaps and risks and documented and analyzed. This security impact analysis results in dataflow documentation in order to identify all intended paths for information and potential attack vectors. * Phase 3: Implementation - The Implementation phase is when the organization creates the documentation and tools the customer uses to make informed decisions about how to deploy the software securely. To this end, the Implementation phase is when the organization establishes development best practices to detect and remove security and privacy issues early in the development cycle. Microsoft understands, observes, and implements the security requirements and considerations as outlined in IT Security Procedural Guide 09-48, Security Language for IT Acquisition Efforts, dated September 2009 for the information system consistent with the Azure offering’s requirements. * Phase 4: Verification - During the Verification phase, the organization ensures that the code meets the security and privacy tenets established in the previous phases. This is done through security and privacy testing, and a security push—which is a team-wide focus on threat model updates, code review, testing, and thorough documentation review and edit. Additionally, service teams create a Security Incident Management document as part of their SDL requirements that outlines how security-specific incidents are addressed. A public release privacy review is also completed during the Verification phase. * Phase 5: Release - The Release phase is when the organization prepares the software for consumption and prepares for what happens once the software is released. One of the core concepts in the Release phase is response planning—mapping out a plan of action, should any security or privacy vulnerabilities be discovered in the release—and this carries over to post-release, as well, in terms of response execution. To this end, a Final Security Review and privacy review is required prior to release. The SDL dashboard is used to monitor the progress of all engineering initiatives and controls the process to ensure that all steps are followed. The System Owner is responsible for ensuring that the SDL process is followed for all engineering initiatives associated with Azure.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC