AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Authorize remote access | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Authorize remote access
Id dad8a2e9-6f27-4fc2-8933-7e99fe700c9c
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0024 - Authorize remote access
Additional metadata Name/Id: CMA_0024 / CMA_0024
Category: Operational
Title: Authorize remote access
Ownership: Customer
Description: Your organization should consider creating and maintaining remote access policies and standard operating procedures. Consider including: - Details about your organization's remote user account creation and management process - Authorization and monitoring of remote access - Mechanisms to expeditiously disconnect or disable remote access to information systems within a timely period - Multifactor authentication for privileged and non-privileged accounts remote access, such that one of the factors is provided by a device separate from the system being accessed - Minimum security requirements for devices allowed to connect remotely - Restrictions to remote access, such as from the defined and approved lists of IP's and devices associated with specific users - Controls to restrict direct remote access to systems which are critical and separate from other environments Microsoft also recommends that your organization manage remote access on dedicated management consoles governed by strict security policies and used exclusively for this purpose. **How to Use Microsoft Solutions to Implement** Your organization can use **Remote Desktop Service** and **Azure AD Application Proxy** to publish on-premises applications to your users, including implementing two-step verification and Conditional Access controls. [Launch Now](https://aka.ms/AAa0bd5) **Learn More** [Publish Remote Desktop with Azure AD Application Proxy](https://aka.ms/AA9xped)
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 61 compliance controls are associated with this Policy definition 'Authorize remote access' (dad8a2e9-6f27-4fc2-8933-7e99fe700c9c)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 1.22 CIS_Azure_1.1.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.3.0 1.20 CIS_Azure_1.3.0_1.20 CIS Microsoft Azure Foundations Benchmark recommendation 1.20 1 Identity and Access Management Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.3.0 1.22 CIS_Azure_1.3.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_1.4.0 1.19 CIS_Azure_1.4.0_1.19 CIS Microsoft Azure Foundations Benchmark recommendation 1.19 1 Identity and Access Management Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' Shared The customer is responsible for implementing this recommendation. Joining or registering devices to the active directory should require Multi-factor authentication. link 8
CIS_Azure_1.4.0 1.21 CIS_Azure_1.4.0_1.21 CIS Microsoft Azure Foundations Benchmark recommendation 1.21 1 Identity and Access Management Ensure Security Defaults is enabled on Azure Active Directory Shared The customer is responsible for implementing this recommendation. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. link 9
CIS_Azure_2.0.0 1.1.1 CIS_Azure_2.0.0_1.1.1 CIS Microsoft Azure Foundations Benchmark recommendation 1.1.1 1.1 Ensure Security Defaults is enabled on Azure Active Directory Shared This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks. Administrators should also be aware that certain configurations in Azure Active Directory may impact other Microsoft services such as Microsoft 365. Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal. Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example, doing the following: - Requiring all users and admins to register for MFA. - Challenging users with MFA - when necessary, based on factors such as location, device, role, and task. - Disabling authentication from legacy authentication clients, which can’t do MFA. link 9
CIS_Azure_2.0.0 1.22 CIS_Azure_2.0.0_1.22 CIS Microsoft Azure Foundations Benchmark recommendation 1.22 1 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' Shared A slight impact of additional overhead, as Administrators will now have to approve every access to the domain. Joining or registering devices to the active directory should require Multi-factor authentication. Multi-factor authentication is recommended when adding devices to Azure AD. When set to `Yes`, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the domain using a compromised user account. _Note:_ Some Microsoft documentation suggests to use conditional access policies for joining a domain from certain whitelisted networks or devices. Even with these in place, using Multi-Factor Authentication is still recommended, as it creates a process for review before joining the domain. link 8
FedRAMP_High_R4 AC-17 FedRAMP_High_R4_AC-17 FedRAMP High AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
FedRAMP_High_R4 AC-17(4) FedRAMP_High_R4_AC-17(4) FedRAMP High AC-17 (4) Access Control Privileged Commands / Access Shared n/a The organization: (a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (b) Documents the rationale for such access in the security plan for the information system. Supplemental Guidance: Related control: AC-6. link 5
FedRAMP_High_R4 SC-2 FedRAMP_High_R4_SC-2 FedRAMP High SC-2 System And Communications Protection Application Partitioning Shared n/a The information system separates user functionality (including user interface services) from information system management functionality. Supplemental Guidance: Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. Related controls: SA-4, SA-8, SC-3. References: None. link 3
FedRAMP_Moderate_R4 AC-17 FedRAMP_Moderate_R4_AC-17 FedRAMP Moderate AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
FedRAMP_Moderate_R4 AC-17(4) FedRAMP_Moderate_R4_AC-17(4) FedRAMP Moderate AC-17 (4) Access Control Privileged Commands / Access Shared n/a The organization: (a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (b) Documents the rationale for such access in the security plan for the information system. Supplemental Guidance: Related control: AC-6. link 5
FedRAMP_Moderate_R4 SC-2 FedRAMP_Moderate_R4_SC-2 FedRAMP Moderate SC-2 System And Communications Protection Application Partitioning Shared n/a The information system separates user functionality (including user interface services) from information system management functionality. Supplemental Guidance: Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. Related controls: SA-4, SA-8, SC-3. References: None. link 3
hipaa 0208.09j2Organizational.7-09.j hipaa-0208.09j2Organizational.7-09.j 0208.09j2Organizational.7-09.j 02 Endpoint Protection 0208.09j2Organizational.7-09.j 09.04 Protection Against Malicious and Mobile Code Shared n/a User functionality (including user interface services [e.g., web services]) is separated from information system management (e.g., database management systems) functionality. 4
hipaa 0817.01w2System.123-01.w hipaa-0817.01w2System.123-01.w 0817.01w2System.123-01.w 08 Network Protection 0817.01w2System.123-01.w 01.06 Application and Information Access Control Shared n/a Unless the risk is identified and accepted by the data owner, sensitive systems are isolated (physically or logically) from non-sensitive applications/systems. 13
hipaa 0902.09s2Organizational.13-09.s hipaa-0902.09s2Organizational.13-09.s 0902.09s2Organizational.13-09.s 09 Transmission Protection 0902.09s2Organizational.13-09.s 09.08 Exchange of Information Shared n/a Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions. 14
hipaa 0912.09s1Organizational.4-09.s hipaa-0912.09s1Organizational.4-09.s 0912.09s1Organizational.4-09.s 09 Transmission Protection 0912.09s1Organizational.4-09.s 09.08 Exchange of Information Shared n/a Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems. 9
hipaa 1118.01j2Organizational.124-01.j hipaa-1118.01j2Organizational.124-01.j 1118.01j2Organizational.124-01.j 11 Access Control 1118.01j2Organizational.124-01.j 01.04 Network Access Control Shared n/a The organization has implemented encryption (e.g., VPN solutions or private lines) and logs remote access to the organization's network by employees, contractors, or third-party. 9
hipaa 1121.01j3Organizational.2-01.j hipaa-1121.01j3Organizational.2-01.j 1121.01j3Organizational.2-01.j 11 Access Control 1121.01j3Organizational.2-01.j 01.04 Network Access Control Shared n/a Remote administration sessions are authorized, encrypted, and employ increased security measures. 11
hipaa 1179.01j3Organizational.1-01.j hipaa-1179.01j3Organizational.1-01.j 1179.01j3Organizational.1-01.j 11 Access Control 1179.01j3Organizational.1-01.j 01.04 Network Access Control Shared n/a The information system monitors and controls remote access methods. 7
hipaa 1785.10a1Organizational.8-10.a hipaa-1785.10a1Organizational.8-10.a 1785.10a1Organizational.8-10.a 17 Risk Management 1785.10a1Organizational.8-10.a 10.01 Security Requirements of Information Systems Shared n/a Where additional functionality is supplied and causes a security risk, the functionality is disabled or mitigated through application of additional controls. 5
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.13.1.3 ISO27001-2013_A.13.1.3 ISO 27001:2013 A.13.1.3 Communications Security Segregation of networks Shared n/a Groups of information services, users, and information systems shall be segregated on networks. link 17
ISO27001-2013 A.13.2.1 ISO27001-2013_A.13.2.1 ISO 27001:2013 A.13.2.1 Communications Security Information transfer policies and procedures Shared n/a Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. link 32
ISO27001-2013 A.14.1.2 ISO27001-2013_A.14.1.2 ISO 27001:2013 A.14.1.2 System Acquisition, Development And Maintenance Securing application services on public networks Shared n/a Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. link 32
ISO27001-2013 A.14.1.3 ISO27001-2013_A.14.1.3 ISO 27001:2013 A.14.1.3 System Acquisition, Development And Maintenance Protecting application services transactions Shared n/a Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. link 29
ISO27001-2013 A.6.2.1 ISO27001-2013_A.6.2.1 ISO 27001:2013 A.6.2.1 Organization of Information Security Mobile device policy Shared n/a A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices. link 13
ISO27001-2013 A.6.2.2 ISO27001-2013_A.6.2.2 ISO 27001:2013 A.6.2.2 Organization of Information Security Teleworking Shared n/a A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. link 16
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
mp.eq.3 Protection of portable devices mp.eq.3 Protection of portable devices 404 not found n/a n/a 71
mp.eq.4 Other devices connected to the network mp.eq.4 Other devices connected to the network 404 not found n/a n/a 35
mp.info.2 Rating of information mp.info.2 Rating of information 404 not found n/a n/a 45
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
mp.info.4 Time stamps mp.info.4 Time stamps 404 not found n/a n/a 33
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
NIST_SP_800-171_R2_3 .1.15 NIST_SP_800-171_R2_3.1.15 NIST SP 800-171 R2 3.1.15 Access Control Authorize remote execution of privileged commands and remote access to security-relevant information. Shared Microsoft and the customer share responsibilities for implementing this requirement. A privileged command is a human-initiated (interactively or via a process operating on behalf of the human) command executed on a system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information. Security-relevant information is any information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling such access from remote locations helps to ensure that unauthorized individuals are not able to execute such commands freely with the potential to do serious or catastrophic damage to organizational systems. Note that the ability to affect the integrity of the system is considered security-relevant as that could enable the means to by-pass security functions although not directly impacting the function itself. link 5
NIST_SP_800-171_R2_3 .1.2 NIST_SP_800-171_R2_3.1.2 NIST SP 800-171 R2 3.1.2 Access Control Limit system access to the types of transactions and functions that authorized users are permitted to execute. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). link 31
NIST_SP_800-171_R2_3 .13.3 NIST_SP_800-171_R2_3.13.3 NIST SP 800-171 R2 3.13.3 System and Communications Protection Separate user functionality from system management functionality. Shared Microsoft and the customer share responsibilities for implementing this requirement. System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. link 3
NIST_SP_800-53_R4 AC-17 NIST_SP_800-53_R4_AC-17 NIST SP 800-53 Rev. 4 AC-17 Access Control Remote Access Shared n/a The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121. link 41
NIST_SP_800-53_R4 AC-17(4) NIST_SP_800-53_R4_AC-17(4) NIST SP 800-53 Rev. 4 AC-17 (4) Access Control Privileged Commands / Access Shared n/a The organization: (a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (b) Documents the rationale for such access in the security plan for the information system. Supplemental Guidance: Related control: AC-6. link 5
NIST_SP_800-53_R4 SC-2 NIST_SP_800-53_R4_SC-2 NIST SP 800-53 Rev. 4 SC-2 System And Communications Protection Application Partitioning Shared n/a The information system separates user functionality (including user interface services) from information system management functionality. Supplemental Guidance: Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. Related controls: SA-4, SA-8, SC-3. References: None. link 3
NIST_SP_800-53_R5 AC-17 NIST_SP_800-53_R5_AC-17 NIST SP 800-53 Rev. 5 AC-17 Access Control Remote Access Shared n/a a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. link 41
NIST_SP_800-53_R5 AC-17(4) NIST_SP_800-53_R5_AC-17(4) NIST SP 800-53 Rev. 5 AC-17 (4) Access Control Privileged Commands and Access Shared n/a (a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and (b) Document the rationale for remote access in the security plan for the system. link 5
NIST_SP_800-53_R5 SC-2 NIST_SP_800-53_R5_SC-2 NIST SP 800-53 Rev. 5 SC-2 System and Communications Protection Separation of System and User Functionality Shared n/a Separate user functionality, including user interface services, from system management functionality. link 3
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 50
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
op.pl.3 Acquisition of new components op.pl.3 Acquisition of new components 404 not found n/a n/a 61
org.2 Security regulations org.2 Security regulations 404 not found n/a n/a 100
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
PCI_DSS_v4.0 1.5.1 PCI_DSS_v4.0_1.5.1 PCI DSS v4.0 1.5.1 Requirement 01: Install and Maintain Network Security Controls Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated Shared n/a Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows: • Specific configuration settings are defined to prevent threats being introduced into the entity’s network. • Security controls are actively running. • Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period. link 5
PCI_DSS_v4.0 8.4.2 PCI_DSS_v4.0_8.4.2 PCI DSS v4.0 8.4.2 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) is implemented to secure access into the CDE Shared n/a MFA is implemented for all access into the CDE. link 8
PCI_DSS_v4.0 8.4.3 PCI_DSS_v4.0_8.4.3 PCI DSS v4.0 8.4.3 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) is implemented to secure access into the CDE Shared n/a MFA is implemented for all remote network access originating from outside the entity’s network that could access or impact the CDE as follows: • All remote access by all personnel, both users and administrators, originating from outside the entity’s network. • All remote access by third parties and vendors. link 8
PCI_DSS_v4.0 8.5.1 PCI_DSS_v4.0_8.5.1 PCI DSS v4.0 8.5.1 Requirement 08: Identify Users and Authenticate Access to System Components Multi-factor authentication (MFA) systems are configured to prevent misuse Shared n/a MFA systems are implemented as follows: • The MFA system is not susceptible to replay attacks. • MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. • At least two different types of authentication factors are used. • Success of all authentication factors is required before access is granted. link 8
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 78
SOC_2 CC6.6 SOC_2_CC6.6 SOC 2 Type 2 CC6.6 Logical and Physical Access Controls Security measures against threats outside system boundaries Shared The customer is responsible for implementing this recommendation. • Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. • Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries. • Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries. • Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts 40
SWIFT_CSCF_v2022 1.4 SWIFT_CSCF_v2022_1.4 SWIFT CSCF v2022 1.4 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Control/Protect Internet access from operator PCs and systems within the secure zone. Shared n/a All general-purpose and dedicated operator PCs, as well as systems within the secure zone, have controlled direct internet access in line with business. link 11
SWIFT_CSCF_v2022 2.6 SWIFT_CSCF_v2022_2.6 SWIFT CSCF v2022 2.6 2. Reduce Attack Surface and Vulnerabilities Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications Shared n/a The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. link 17
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add dad8a2e9-6f27-4fc2-8933-7e99fe700c9c
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC