compliance controls are associated with this Policy definition 'Review label activity and analytics' (e23444b9-9662-40f3-289e-6d25c02b48fa)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.3.0 |
7.1 |
CIS_Azure_1.3.0_7.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.1 |
7 Virtual Machines |
Ensure Virtual Machines are utilizing Managed Disks |
Shared |
The customer is responsible for implementing this recommendation. |
Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.
The features include
1) Default Disk Encryption
2) Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
3) Reduction of costs over storage accounts |
link |
4 |
| CIS_Azure_1.4.0 |
7.1 |
CIS_Azure_1.4.0_7.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.1 |
7 Virtual Machines |
Ensure Virtual Machines are utilizing Managed Disks |
Shared |
The customer is responsible for implementing this recommendation. |
Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.
The features include
1) Default Disk Encryption
2) Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
3) Reduction of costs over storage accounts |
link |
4 |
| CIS_Azure_2.0.0 |
7.2 |
CIS_Azure_2.0.0_7.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.2 |
7 |
Ensure Virtual Machines are utilizing Managed Disks |
Shared |
There are additional costs for managed disks based off of disk space allocated. When converting to managed disks, VMs will be powered off and back on. |
Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration.
The features include:
1) Default Disk Encryption
2) Resilience, as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
3) Reduction of costs over storage accounts
Managed disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required.
Managed disks are by design more resilient that storage accounts.
For ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective. |
link |
4 |
| FedRAMP_High_R4 |
RA-2 |
FedRAMP_High_R4_RA-2 |
FedRAMP High RA-2 |
Risk Assessment |
Security Categorization |
Shared |
n/a |
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7.
Control Enhancements: None.
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. |
link |
4 |
| FedRAMP_High_R4 |
SI-12 |
FedRAMP_High_R4_SI-12 |
FedRAMP High SI-12 |
System And Information Integrity |
Information Handling And Retention |
Shared |
n/a |
The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
Supplemental Guidance: Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4.
Control Enhancements: None.
References: None. |
link |
3 |
| FedRAMP_Moderate_R4 |
RA-2 |
FedRAMP_Moderate_R4_RA-2 |
FedRAMP Moderate RA-2 |
Risk Assessment |
Security Categorization |
Shared |
n/a |
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7.
Control Enhancements: None.
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. |
link |
4 |
| FedRAMP_Moderate_R4 |
SI-12 |
FedRAMP_Moderate_R4_SI-12 |
FedRAMP Moderate SI-12 |
System And Information Integrity |
Information Handling And Retention |
Shared |
n/a |
The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
Supplemental Guidance: Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4.
Control Enhancements: None.
References: None. |
link |
3 |
| hipaa |
0901.09s1Organizational.1-09.s |
hipaa-0901.09s1Organizational.1-09.s |
0901.09s1Organizational.1-09.s |
09 Transmission Protection |
0901.09s1Organizational.1-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. |
|
31 |
| hipaa |
1908.06.c1Organizational.4-06.c |
hipaa-1908.06.c1Organizational.4-06.c |
1908.06.c1Organizational.4-06.c |
19 Data Protection & Privacy |
1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization documents and maintains (i) designated record sets that are subject to access by individuals, and (ii) titles of the persons or office responsible for receiving and processing requests for access by individuals as organizational records for a period of six years. |
|
11 |
| hipaa |
19141.06c1Organizational.7-06.c |
hipaa-19141.06c1Organizational.7-06.c |
19141.06c1Organizational.7-06.c |
19 Data Protection & Privacy |
19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Important records, such as contracts, personnel records, financial information, client/customer information, etc., of the organization are protected from loss, destruction and falsification through the implementation of security controls such as access controls, encryption, backups, electronic signatures, locked facilities or containers, etc. |
|
10 |
| hipaa |
19142.06c1Organizational.8-06.c |
hipaa-19142.06c1Organizational.8-06.c |
19142.06c1Organizational.8-06.c |
19 Data Protection & Privacy |
19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Guidelines are issued by the organization on the ownership, classification, retention, storage, handling and disposal of all records and information. |
|
9 |
| hipaa |
19143.06c1Organizational.9-06.c |
hipaa-19143.06c1Organizational.9-06.c |
19143.06c1Organizational.9-06.c |
19 Data Protection & Privacy |
19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Designated senior management within the organization reviews and approves the security categorizations and associated guidelines. |
|
6 |
| hipaa |
19144.06c2Organizational.1-06.c |
hipaa-19144.06c2Organizational.1-06.c |
19144.06c2Organizational.1-06.c |
19 Data Protection & Privacy |
19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization has established a formal records document retention program. |
|
7 |
| hipaa |
19145.06c2Organizational.2-06.c |
hipaa-19145.06c2Organizational.2-06.c |
19145.06c2Organizational.2-06.c |
19 Data Protection & Privacy |
19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Specific controls for record storage, access, retention, and destruction have been implemented. |
|
8 |
| ISO27001-2013 |
A.18.1.3 |
ISO27001-2013_A.18.1.3 |
ISO 27001:2013 A.18.1.3 |
Compliance |
Protection of records |
Shared |
n/a |
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislative, regulatory, contractual and business requirements. |
link |
15 |
| ISO27001-2013 |
A.18.1.4 |
ISO27001-2013_A.18.1.4 |
ISO 27001:2013 A.18.1.4 |
Compliance |
Privacy and protection of personally identifiable information |
Shared |
n/a |
Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. |
link |
6 |
| ISO27001-2013 |
A.8.2.1 |
ISO27001-2013_A.8.2.1 |
ISO 27001:2013 A.8.2.1 |
Asset Management |
Classification of information |
Shared |
n/a |
Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. |
link |
5 |
| ISO27001-2013 |
A.8.2.2 |
ISO27001-2013_A.8.2.2 |
ISO 27001:2013 A.8.2.2 |
Asset Management |
Labelling of information |
Shared |
n/a |
An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
link |
4 |
| ISO27001-2013 |
A.8.2.3 |
ISO27001-2013_A.8.2.3 |
ISO 27001:2013 A.8.2.3 |
Asset Management |
Handling of assets |
Shared |
n/a |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
link |
26 |
|
mp.eq.4 Other devices connected to the network |
mp.eq.4 Other devices connected to the network |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
mp.info.1 Personal data |
mp.info.1 Personal data |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.info.2 Rating of information |
mp.info.2 Rating of information |
404 not found |
|
|
|
n/a |
n/a |
|
45 |
|
mp.info.5 Clean-up of documents |
mp.info.5 Clean-up of documents |
404 not found |
|
|
|
n/a |
n/a |
|
4 |
|
mp.si.1 Marking |
mp.si.1 Marking |
404 not found |
|
|
|
n/a |
n/a |
|
7 |
| NIST_SP_800-53_R4 |
RA-2 |
NIST_SP_800-53_R4_RA-2 |
NIST SP 800-53 Rev. 4 RA-2 |
Risk Assessment |
Security Categorization |
Shared |
n/a |
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7.
Control Enhancements: None.
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. |
link |
4 |
| NIST_SP_800-53_R4 |
SI-12 |
NIST_SP_800-53_R4_SI-12 |
NIST SP 800-53 Rev. 4 SI-12 |
System And Information Integrity |
Information Handling And Retention |
Shared |
n/a |
The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
Supplemental Guidance: Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4.
Control Enhancements: None.
References: None. |
link |
3 |
| NIST_SP_800-53_R5 |
RA-2 |
NIST_SP_800-53_R5_RA-2 |
NIST SP 800-53 Rev. 5 RA-2 |
Risk Assessment |
Security Categorization |
Shared |
n/a |
a. Categorize the system and information it processes, stores, and transmits;
b. Document the security categorization results, including supporting rationale, in the security plan for the system; and
c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. |
link |
4 |
| NIST_SP_800-53_R5 |
SI-12 |
NIST_SP_800-53_R5_SI-12 |
NIST SP 800-53 Rev. 5 SI-12 |
System and Information Integrity |
Information Management and Retention |
Shared |
n/a |
Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. |
link |
3 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
| PCI_DSS_v4.0 |
3.2.1 |
PCI_DSS_v4.0_3.2.1 |
PCI DSS v4.0 3.2.1 |
Requirement 03: Protect Stored Account Data |
Storage of account data is kept to a minimum |
Shared |
n/a |
Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:
• Coverage for all locations of stored account data.
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements.
• Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification.
• Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy.
• A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. |
link |
8 |
| SOC_2 |
C1.1 |
SOC_2_C1.1 |
SOC 2 Type 2 C1.1 |
Additional Criteria For Confidentiality |
Protection of confidential information |
Shared |
The customer is responsible for implementing this recommendation. |
Identifies Confidential information — Procedures are in place to identify and designate confidential information when it is received or created and to determine the
period over which the confidential information is to be retained.
• Protects Confidential Information From Destruction — Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information. |
|
3 |
| SOC_2 |
C1.2 |
SOC_2_C1.2 |
SOC 2 Type 2 C1.2 |
Additional Criteria For Confidentiality |
Disposal of confidential information |
Shared |
The customer is responsible for implementing this recommendation. |
Identifies Confidential Information for Destruction — Procedures are in place to
identify confidential information requiring destruction when the end of the retention
period is reached.
• Destroys Confidential Information — Procedures are in place to erase or otherwise
destroy confidential information that has been identified for destruction |
|
3 |
| SOC_2 |
CC2.1 |
SOC_2_CC2.1 |
SOC 2 Type 2 CC2.1 |
Communication and Information |
COSO Principle 13 |
Shared |
The customer is responsible for implementing this recommendation. |
Identifies Information Requirements — A process is in place to identify the information required and expected to support the functioning of the other components of
internal control and the achievement of the entity’s objectives.
• Captures Internal and External Sources of Data — Information systems capture internal and external sources of data.
• Processes Relevant Data Into Information — Information systems process and
transform relevant data into information.
• Maintains Quality Throughout Processing — Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable,
and retained. Information is reviewed to assess its relevance in supporting the internal control components. |
|
3 |
| SOC_2 |
CC3.1 |
SOC_2_CC3.1 |
SOC 2 Type 2 CC3.1 |
Risk Assessment |
COSO Principle 6 |
Shared |
The customer is responsible for implementing this recommendation. |
• Reflects Management's Choices — Operations objectives reflect management's
choices about structure, industry considerations, and performance of the entity.
• Considers Tolerances for Risk — Management considers the acceptable levels of
variation relative to the achievement of operations objectives.
• Includes Operations and Financial Performance Goals — The organization reflects
the desired level of operations and financial performance for the entity within operations objectives.
• Forms a Basis for Committing of Resources — Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance.
External Financial Reporting Objectives
• Complies With Applicable Accounting Standards — Financial reporting objectives
are consistent with accounting principles suitable and available for that entity. The
accounting principles selected are appropriate in the circumstances.
• Considers Materiality — Management considers materiality in financial statement
presentation.
• Reflects Entity Activities — External reporting reflects the underlying transactions
and events to show qualitative characteristics and assertions.
External Nonfinancial Reporting Objectives
• Complies With Externally Established Frameworks — Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations.
• Considers the Required Level of Precision — Management reflects the required
level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting.
• Reflects Entity Activities — External reporting reflects the underlying transactions
and events within a range of acceptable limits.
Internal Reporting Objectives
• Reflects Management's Choices — Internal reporting provides management with
accurate and complete information regarding management's choices and information Page 22
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
needed in managing the entity.
• Considers the Required Level of Precision — Management reflects the required
level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives.
• Reflects Entity Activities — Internal reporting reflects the underlying transactions
and events within a range of acceptable limits.
Compliance Objectives
• Reflects External Laws and Regulations — Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives.
• Considers Tolerances for Risk — Management considers the acceptable levels of
variation relative to the achievement of operations objectives |
|
7 |
| SOC_2 |
CC3.2 |
SOC_2_CC3.2 |
SOC 2 Type 2 CC3.2 |
Risk Assessment |
COSO Principle 7 |
Shared |
The customer is responsible for implementing this recommendation. |
Points of focus specified in the COSO framework:
• Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels — The
entity identifies and assesses risk at the entity, subsidiary, division, operating unit,
and functional levels relevant to the achievement of objectives.
• Analyzes Internal and External Factors — Risk identification considers both internal
and external factors and their impact on the achievement of objectives.
• Involves Appropriate Levels of Management — The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management.
• Estimates Significance of Risks Identified — Identified risks are analyzed through a
process that includes estimating the potential significance of the risk.
• Determines How to Respond to Risks — Risk assessment includes considering how
the risk should be managed and whether to accept, avoid, reduce, or share the risk.
Additional points of focus specifically related to all engagements using the trust services criteria:
• Identifies and Assesses Criticality of Information Assets and Identifies Threats and
Vulnerabilities — The entity's risk identification and assessment process includes
(1) identifying information assets, including physical devices and systems, virtual
devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying
the threats to the assets from intentional (including malicious) and unintentional
acts and environmental events; and (4) identifying the vulnerabilities of the identified assets.
• Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other
Parties — The entity's risk assessment process includes the analysis of potential
threats and vulnerabilities arising from vendors providing goods and services, as
well as threats and vulnerabilities arising from business partners, customers, and
others with access to the entity's information systems.
• Considers the Significance of the Risk — The entity’s consideration of the potential
significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and
vulnerabilities in meeting objectives; (3) assessing the likelihood of identified
threats; and (4) determining the risk associated with assets based on asset criticality, threat impact, and likelihood. |
|
11 |
| SOC_2 |
PI1.3 |
SOC_2_PI1.3 |
SOC 2 Type 2 PI1.3 |
Additional Criteria For Processing Integrity |
System processing |
Shared |
The customer is responsible for implementing this recommendation. |
• Defines Processing Specifications — The processing specifications that are necessary to meet product or service requirements are defined.
• Defines Processing Activities — Processing activities are defined to result in products or services that meet specifications.
• Detects and Corrects Production Errors — Errors in the production process are detected and corrected in a timely manner.
• Records System Processing Activities — System processing activities are recorded
completely and accurately in a timely manner.
• Processes Inputs — Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities |
|
5 |
| SOC_2 |
PI1.4 |
SOC_2_PI1.4 |
SOC 2 Type 2 PI1.4 |
Additional Criteria For Processing Integrity |
System output is complete, accurate, and timely |
Shared |
The customer is responsible for implementing this recommendation. |
• Protects Output — Output is protected when stored or delivered, or both, to prevent
theft, destruction, corruption, or deterioration that would prevent output from meeting specifications.
• Distributes Output Only to Intended Parties — Output is distributed or made available only to intended parties.
• Distributes Output Completely and Accurately — Procedures are in place to provide for the completeness, accuracy, and timeliness of distributed output.
• Creates and Maintains Records of System Output Activities — Records of system
output activities are created and maintained completely and accurately in a timely
manner. |
|
3 |
| SOC_2 |
PI1.5 |
SOC_2_PI1.5 |
SOC 2 Type 2 PI1.5 |
Additional Criteria For Processing Integrity |
Store inputs and outputs completely, accurately, and timely |
Shared |
The customer is responsible for implementing this recommendation. |
• Protects Stored Items — Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications.
• Archives and Protects System Records — System records are archived and archives
are protected against theft, corruption, destruction, or deterioration that would prevent them from being used.
• Stores Data Completely and Accurately — Procedures are in place to provide for
the complete, accurate, and timely storage of data.
• Creates and Maintains Records of System Storage Activities — Records of system
storage activities are created and maintained completely and accurately in a timely
manner |
|
10 |