compliance controls are associated with this Policy definition 'Monitor privileged role assignment' (ed87d27a-9abf-7c71-714c-61d881889da4)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
1.8 |
CIS_Azure_1.1.0_1.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.8 |
1 Identity and Access Management |
Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that all administrators are notified if any other administrator resets their password. |
link |
10 |
| CIS_Azure_1.3.0 |
1.8 |
CIS_Azure_1.3.0_1.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.8 |
1 Identity and Access Management |
Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that all administrators are notified if any other administrator resets their password. |
link |
10 |
| CIS_Azure_1.4.0 |
1.8 |
CIS_Azure_1.4.0_1.8 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.8 |
1 Identity and Access Management |
Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' |
Shared |
The customer is responsible for implementing this recommendation. |
Ensure that all administrators are notified if any other administrator resets their password. |
link |
10 |
| CIS_Azure_2.0.0 |
1.10 |
CIS_Azure_2.0.0_1.10 |
CIS Microsoft Azure Foundations Benchmark recommendation 1.10 |
1 |
Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' |
Shared |
All Global Administrators will receive a notification from Azure every time a password is reset. This is useful for auditing procedures to confirm that there are no out of the ordinary password resets for Global Administrators. There is additional overhead, however, in the time required for Global Administrators to audit the notifications. This setting is only useful if all Global Administrators pay attention to the notifications, and audit each one. |
Ensure that all Global Administrators are notified if any other administrator resets their password.
Global Administrator accounts are sensitive. Any password reset activity notification, when sent to all Global Administrators, ensures that all Global administrators can passively confirm if such a reset is a common pattern within their group. For example, if all Global Administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin. |
link |
10 |
| FedRAMP_High_R4 |
AC-2(7) |
FedRAMP_High_R4_AC-2(7) |
FedRAMP High AC-2 (7) |
Access Control |
Role-Based Schemes |
Shared |
n/a |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.
Supplemental Guidance: Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
link |
10 |
| FedRAMP_High_R4 |
AC-6(9) |
FedRAMP_High_R4_AC-6(9) |
FedRAMP High AC-6 (9) |
Access Control |
Auditing Use Of Privileged Functions |
Shared |
n/a |
The information system audits the execution of privileged functions.
Supplemental Guidance: Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). Related control: AU-2. |
link |
6 |
| FedRAMP_Moderate_R4 |
AC-2(7) |
FedRAMP_Moderate_R4_AC-2(7) |
FedRAMP Moderate AC-2 (7) |
Access Control |
Role-Based Schemes |
Shared |
n/a |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.
Supplemental Guidance: Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
link |
10 |
| FedRAMP_Moderate_R4 |
AC-6(9) |
FedRAMP_Moderate_R4_AC-6(9) |
FedRAMP Moderate AC-6 (9) |
Access Control |
Auditing Use Of Privileged Functions |
Shared |
n/a |
The information system audits the execution of privileged functions.
Supplemental Guidance: Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). Related control: AU-2. |
link |
6 |
| hipaa |
1129.01v1System.12-01.v |
hipaa-1129.01v1System.12-01.v |
1129.01v1System.12-01.v |
11 Access Control |
1129.01v1System.12-01.v 01.06 Application and Information Access Control |
Shared |
n/a |
Access rights to applications and application functions should be restricted in accordance with the access control policy. |
|
12 |
| hipaa |
1145.01c2System.1-01.c |
hipaa-1145.01c2System.1-01.c |
1145.01c2System.1-01.c |
11 Access Control |
1145.01c2System.1-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions. |
|
8 |
| hipaa |
1151.01c3System.1-01.c |
hipaa-1151.01c3System.1-01.c |
1151.01c3System.1-01.c |
11 Access Control |
1151.01c3System.1-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization limits authorization to privileged accounts on information systems to a pre-defined subset of users. |
|
7 |
| hipaa |
1152.01c3System.2-01.c |
hipaa-1152.01c3System.2-01.c |
1152.01c3System.2-01.c |
11 Access Control |
1152.01c3System.2-01.c 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions. |
|
9 |
| hipaa |
1214.09ab2System.3456-09.ab |
hipaa-1214.09ab2System.3456-09.ab |
1214.09ab2System.3456-09.ab |
12 Audit Logging & Monitoring |
1214.09ab2System.3456-09.ab 09.10 Monitoring |
Shared |
n/a |
Monitoring includes privileged operations, authorized access or unauthorized access attempts, including attempts to access deactivated accounts, and system alerts or failures. |
|
9 |
| hipaa |
1232.09c3Organizational.12-09.c |
hipaa-1232.09c3Organizational.12-09.c |
1232.09c3Organizational.12-09.c |
12 Audit Logging & Monitoring |
1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. |
|
21 |
| hipaa |
1270.09ad1System.12-09.ad |
hipaa-1270.09ad1System.12-09.ad |
1270.09ad1System.12-09.ad |
12 Audit Logging & Monitoring |
1270.09ad1System.12-09.ad 09.10 Monitoring |
Shared |
n/a |
The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis. |
|
18 |
| hipaa |
1276.09c2Organizational.2-09.c |
hipaa-1276.09c2Organizational.2-09.c |
1276.09c2Organizational.2-09.c |
12 Audit Logging & Monitoring |
1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Security audit activities are independent. |
|
18 |
| hipaa |
1451.05iCSPOrganizational.2-05.i |
hipaa-1451.05iCSPOrganizational.2-05.i |
1451.05iCSPOrganizational.2-05.i |
14 Third Party Assurance |
1451.05iCSPOrganizational.2-05.i 05.02 External Parties |
Shared |
n/a |
Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. |
|
21 |
| ISO27001-2013 |
A.12.4.1 |
ISO27001-2013_A.12.4.1 |
ISO 27001:2013 A.12.4.1 |
Operations Security |
Event Logging |
Shared |
n/a |
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. |
link |
53 |
| ISO27001-2013 |
A.12.4.3 |
ISO27001-2013_A.12.4.3 |
ISO 27001:2013 A.12.4.3 |
Operations Security |
Administrator and operator logs |
Shared |
n/a |
System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. |
link |
29 |
| ISO27001-2013 |
A.9.2.3 |
ISO27001-2013_A.9.2.3 |
ISO 27001:2013 A.9.2.3 |
Access Control |
Management of privileged access rights |
Shared |
n/a |
The allocation and use of privileged access rights shall be restricted and controlled. |
link |
33 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-171_R2_3 |
.1.2 |
NIST_SP_800-171_R2_3.1.2 |
NIST SP 800-171 R2 3.1.2 |
Access Control |
Limit system access to the types of transactions and functions that authorized users are permitted to execute. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). |
link |
31 |
| NIST_SP_800-171_R2_3 |
.1.7 |
NIST_SP_800-171_R2_3.1.7 |
NIST SP 800-171 R2 3.1.7 |
Access Control |
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat. |
link |
6 |
| NIST_SP_800-53_R4 |
AC-2(7) |
NIST_SP_800-53_R4_AC-2(7) |
NIST SP 800-53 Rev. 4 AC-2 (7) |
Access Control |
Role-Based Schemes |
Shared |
n/a |
The organization:
(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
(b) Monitors privileged role assignments; and
(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.
Supplemental Guidance: Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. |
link |
10 |
| NIST_SP_800-53_R4 |
AC-6(9) |
NIST_SP_800-53_R4_AC-6(9) |
NIST SP 800-53 Rev. 4 AC-6 (9) |
Access Control |
Auditing Use Of Privileged Functions |
Shared |
n/a |
The information system audits the execution of privileged functions.
Supplemental Guidance: Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). Related control: AU-2. |
link |
6 |
| NIST_SP_800-53_R5 |
AC-2(7) |
NIST_SP_800-53_R5_AC-2(7) |
NIST SP 800-53 Rev. 5 AC-2 (7) |
Access Control |
Privileged User Accounts |
Shared |
n/a |
(a) Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme;an attribute-based access scheme] ;
(b) Monitor privileged role or attribute assignments;
(c) Monitor changes to roles or attributes; and
(d) Revoke access when privileged role or attribute assignments are no longer appropriate. |
link |
10 |
| NIST_SP_800-53_R5 |
AC-6(9) |
NIST_SP_800-53_R5_AC-6(9) |
NIST SP 800-53 Rev. 5 AC-6 (9) |
Access Control |
Log Use of Privileged Functions |
Shared |
n/a |
Log the execution of privileged functions. |
link |
6 |
|
op.acc.1 Identification |
op.acc.1 Identification |
404 not found |
|
|
|
n/a |
n/a |
|
66 |
|
op.acc.3 Segregation of functions and tasks |
op.acc.3 Segregation of functions and tasks |
404 not found |
|
|
|
n/a |
n/a |
|
43 |
|
op.acc.4 Access rights management process |
op.acc.4 Access rights management process |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
op.acc.5 Authentication mechanism (external users) |
op.acc.5 Authentication mechanism (external users) |
404 not found |
|
|
|
n/a |
n/a |
|
72 |
|
op.exp.8 Recording of the activity |
op.exp.8 Recording of the activity |
404 not found |
|
|
|
n/a |
n/a |
|
67 |
| PCI_DSS_v4.0 |
10.2.1.2 |
PCI_DSS_v4.0_10.2.1.2 |
PCI DSS v4.0 10.2.1.2 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events |
Shared |
n/a |
Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts. |
link |
7 |
| PCI_DSS_v4.0 |
10.2.1.3 |
PCI_DSS_v4.0_10.2.1.3 |
PCI DSS v4.0 10.2.1.3 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events |
Shared |
n/a |
Audit logs capture all access to audit logs. |
link |
8 |
| PCI_DSS_v4.0 |
10.2.1.5 |
PCI_DSS_v4.0_10.2.1.5 |
PCI DSS v4.0 10.2.1.5 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events |
Shared |
n/a |
Audit logs capture all changes to identification and authentication credentials including, but not limited to:
• Creation of new accounts.
• Elevation of privileges.
• All changes, additions, or deletions to accounts with administrative access. |
link |
13 |
| PCI_DSS_v4.0 |
10.2.1.6 |
PCI_DSS_v4.0_10.2.1.6 |
PCI DSS v4.0 10.2.1.6 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events |
Shared |
n/a |
Audit logs capture the following:
• All initialization of new audit logs, and
• All starting, stopping, or pausing of the existing audit logs. |
link |
8 |
| PCI_DSS_v4.0 |
10.6.3 |
PCI_DSS_v4.0_10.6.3 |
PCI DSS v4.0 10.6.3 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Time-synchronization mechanisms support consistent time settings across all systems |
Shared |
n/a |
Time synchronization settings and data are protected as follows:
• Access to time data is restricted to only personnel with a business need.
• Any changes to time settings on critical systems are logged, monitored, and reviewed. |
link |
10 |
| SOC_2 |
CC6.3 |
SOC_2_CC6.3 |
SOC 2 Type 2 CC6.3 |
Logical and Physical Access Controls |
Rol based access and least privilege |
Shared |
The customer is responsible for implementing this recommendation. |
• Creates or Modifies Access to Protected Information Assets — Processes are in
place to create or modify access to protected information assets based on authorization from the asset’s owner.
• Removes Access to Protected Information Assets — Processes are in place to remove access to protected information assets when an individual no longer requires
access.
• Uses Role-Based Access Controls — Role-based access control is utilized to support segregation of incompatible functions.
• Reviews Access Roles and Rules — The appropriateness of access roles and access
rules is reviewed on a periodic basis for unnecessary and inappropriate individuals
with access and access rules are modified as appropriate |
|
20 |
| SWIFT_CSCF_v2022 |
1.2 |
SWIFT_CSCF_v2022_1.2 |
SWIFT CSCF v2022 1.2 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Restrict and control the allocation and usage of administrator-level operating system accounts. |
Shared |
n/a |
Access to administrator-level operating system accounts is restricted to the maximum extent possible. Usage is controlled, monitored, and only permitted for relevant activities such as software installation and configuration, maintenance, and emergency activities. At all other times, an account with the least privilege access is used. |
link |
22 |