Az Policy Advertizer

Azure_Security_Benchmark_v1.0

4.4

Azure_Security_Benchmark_v1.0_4.4

Azure Security Benchmark 4.4

Data Protection

Encrypt all sensitive information in transit

Shared

Encrypt all sensitive information in transit. Ensure that any clients connecting to your Azure resources are able to negotiate TLS 1.2 or greater. Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable. Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit

n/a

Azure_Security_Benchmark_v2.0

DP-4

Azure_Security_Benchmark_v2.0_DP-4

Azure Security Benchmark DP-4

Data Protection

Encrypt sensitive information in transit

Shared

To complement access controls, data in transit should be protected against ‘out of band’ attacks (e.g. traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsoleted SSL, TLS, and SSH versions and protocols, and weak ciphers should be disabled. By default, Azure provides encryption for data in transit between Azure data centers. Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit

n/a

Azure_Security_Benchmark_v3.0

DP-3

Azure_Security_Benchmark_v3.0_DP-3

Microsoft cloud security benchmark DP-3

Data Protection

Encrypt sensitive data in transit

Shared

**Security Principle:** Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. **Azure Guidance:** Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Enforce HTTPS for workload web application and services by ensuring that any clients connecting to your Azure resources use transportation layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure PaaS services by default. **Implementation and additional context:** Double encryption for Azure data in transit: https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit Understand encryption in transit with Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit Information on TLS Security: https://docs.microsoft.com/security/engineering/solving-tls1-problem Enforce secure transfer in Azure storage: https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account

n/a

Azure_Security_Benchmark_v3.0

NS-8

Azure_Security_Benchmark_v3.0_NS-8

Microsoft cloud security benchmark NS-8

Network Security

Detect and disable insecure services and protocols

Shared

**Security Principle:** Detect and disable insecure services and protocols at the OS, application, or software package layer. Deploy compensating controls if disabling insecure services and protocols are not possible. **Azure Guidance:** Use Azure Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols such as SSL/TLSv1, SSHv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos. Disable insecure services and protocols that do not meet the appropriate security standard. Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through network security group, Azure Firewall, or Azure Web Application Firewall to reduce the attack surface. **Implementation and additional context:** Azure Sentinel insecure protocols workbook: https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks

n/a

CIS_Azure_1.1.0

9.3

CIS_Azure_1.1.0_9.3

CIS Microsoft Azure Foundations Benchmark recommendation 9.3

9 AppService

Ensure web app is using the latest version of TLS encryption

Shared

The customer is responsible for implementing this recommendation.

CIS_Azure_1.3.0

9.3

CIS_Azure_1.3.0_9.3

CIS Microsoft Azure Foundations Benchmark recommendation 9.3

9 AppService

Ensure web app is using the latest version of TLS encryption

Shared

The customer is responsible for implementing this recommendation.

CIS_Azure_1.4.0

9.3

CIS_Azure_1.4.0_9.3

CIS Microsoft Azure Foundations Benchmark recommendation 9.3

9 AppService

Ensure Web App is using the latest version of TLS encryption

Shared

The customer is responsible for implementing this recommendation.

CIS_Azure_2.0.0

9.3

CIS_Azure_2.0.0_9.3

CIS Microsoft Azure Foundations Benchmark recommendation 9.3

Ensure Web App is using the latest version of TLS encryption

Shared

n/a

The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS. App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.

CMMC_2.0_L2

SC.L2-3.13.8

CMMC_2.0_L2_SC.L2-3.13.8

404 not found

n/a

IA.3.084

CMMC_L3_IA.3.084

CMMC L3 IA.3.084

Identification and Authentication

Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators.

SC.1.175

CMMC_L3_SC.1.175

CMMC L3 SC.1.175

System and Communications Protection

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.

SC.3.185

CMMC_L3_SC.3.185

CMMC L3 SC.3.185

System and Communications Protection

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted.

SC.3.190

CMMC_L3_SC.3.190

CMMC L3 SC.3.190

System and Communications Protection

Protect the authenticity of communications sessions.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.

SI.1.210

CMMC_L3_SI.1.210

CMMC L3 SI.1.210

System and Information Integrity

Identify, report, and correct information and information system flaws in a timely manner.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.

FedRAMP_High_R4

SC-8

FedRAMP_High_R4_SC-8

FedRAMP High SC-8

System And Communications Protection

Transmission Confidentiality And Integrity

Shared

n/a

The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; CNSS Policy 15; NSTISSI No. 7003.

FedRAMP_High_R4

SC-8(1)

FedRAMP_High_R4_SC-8(1)

FedRAMP High SC-8 (1)

System And Communications Protection

Cryptographic Or Alternate Physical Protection

Shared

n/a

The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13.

FedRAMP_Moderate_R4

SC-8

FedRAMP_Moderate_R4_SC-8

FedRAMP Moderate SC-8

System And Communications Protection

Transmission Confidentiality And Integrity

Shared

n/a

FedRAMP_Moderate_R4_SC-8(1)

FedRAMP_Moderate_R4

SC-8(1)

FedRAMP Moderate SC-8 (1)

System And Communications Protection

Cryptographic Or Alternate Physical Protection

Shared

n/a

hipaa-0809.01n2Organizational.1234-01.n

0809.01n2Organizational.1234-01.n

0809.01n2Organizational.1234-01.n

08 Network Protection

0809.01n2Organizational.1234-01.n 01.04 Network Access Control

Shared

n/a

Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface.

hipaa-0810.01n2Organizational.5-01.n

0810.01n2Organizational.5-01.n

0810.01n2Organizational.5-01.n

08 Network Protection

0810.01n2Organizational.5-01.n 01.04 Network Access Control

Shared

n/a

Transmitted information is secured and, at a minimum, encrypted over open, public networks.

hipaa-0811.01n2Organizational.6-01.n

0811.01n2Organizational.6-01.n

0811.01n2Organizational.6-01.n

08 Network Protection

0811.01n2Organizational.6-01.n 01.04 Network Access Control

Shared

n/a

Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need.

hipaa-0812.01n2Organizational.8-01.n

0812.01n2Organizational.8-01.n

0812.01n2Organizational.8-01.n

08 Network Protection

0812.01n2Organizational.8-01.n 01.04 Network Access Control

Shared

n/a

Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources.

hipaa-0814.01n1Organizational.12-01.n

0814.01n1Organizational.12-01.n

0814.01n1Organizational.12-01.n

08 Network Protection

0814.01n1Organizational.12-01.n 01.04 Network Access Control

Shared

n/a

The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of its business applications.

hipaa-0949.09y2Organizational.5-09.y

0949.09y2Organizational.5-09.y

0949.09y2Organizational.5-09.y

09 Transmission Protection

0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services

Shared

n/a

The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible.

New_Zealand_ISM

17.4.16.C.01

New_Zealand_ISM_17.4.16.C.01

17. Cryptography

17.4.16.C.01 Using TLS

n/a

Agencies SHOULD use the current version of TLS (version 1.3).

NIST_SP_800-171_R2_3

.13.8

NIST_SP_800-171_R2_3.13.8

NIST SP 800-171 R2 3.13.8

System and Communications Protection

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

Shared

Microsoft and the customer share responsibilities for implementing this requirement.

NIST_SP_800-53_R4

SC-8

NIST_SP_800-53_R4_SC-8

NIST SP 800-53 Rev. 4 SC-8

System And Communications Protection

Transmission Confidentiality And Integrity

Shared

n/a

NIST_SP_800-53_R4_SC-8(1)

NIST_SP_800-53_R4

SC-8(1)

NIST SP 800-53 Rev. 4 SC-8 (1)

System And Communications Protection

Cryptographic Or Alternate Physical Protection

Shared

n/a

NIST_SP_800-53_R5

SC-8

NIST_SP_800-53_R5_SC-8

NIST SP 800-53 Rev. 5 SC-8

System and Communications Protection

Transmission Confidentiality and Integrity

Shared

n/a

Protect the [Selection (OneOrMore): confidentiality;integrity] of transmitted information.

NIST_SP_800-53_R5_SC-8(1)

NIST_SP_800-53_R5

SC-8(1)

NIST SP 800-53 Rev. 5 SC-8 (1)

System and Communications Protection

Cryptographic Protection

Shared

n/a

Implement cryptographic mechanisms to [Selection (OneOrMore): prevent unauthorized disclosure of information;detect changes to information] during transmission.

NL_BIO_Cloud_Theme_U.05.1(2)

NL_BIO_Cloud_Theme

U.05.1(2)

U.05 Data protection

Cryptographic measures

n/a

Data transport is secured with cryptography to the latest state of the art (in accordance with the Forum for Standardization), whereby the key management is carried out by the CSC itself if possible.

NL_BIO_Cloud_Theme

U.11.1(2)

NL_BIO_Cloud_Theme_U.11.1(2)

U.11 Cryptoservices

Policy

n/a

The cryptography policy includes at least the following topics: when cryptography is used; who is responsible for the implementation of cryptology; who is responsible for key management; which standards serve as a basis for cryptography and the way in which the standards of the Standardisation Forum are applied; the way in which the level of protection is determined; in the case of communication between organizations, the policy is determined among themselves.

NL_BIO_Cloud_Theme

U.11.2(2)

NL_BIO_Cloud_Theme_U.11.2(2)

U.11 Cryptoservices

Cryptographic measures

n/a

In the case of PKIoverheid certificates: apply the PKIoverheid requirements with regard to key management. In other situations: use the ISO 11770 standard for managing cryptographic keys.

NZ_ISM_v3.5

CR-8

NZ_ISM_v3.5_CR-8

NZISM Security Benchmark CR-8

Cryptography

17.4.16 Using TLS

Customer

n/a

Whilst version 1.0 of SSL was never released, version 2.0 had significant security flaws leading to the development of SSL 3.0. SSL has since been superseded by TLS with the latest version being TLS 1.3 which was released in August 2018. SSL is no longer an approved cryptographic protocol

NZISM_Security_Benchmark_v1.1

CR-7

NZISM_Security_Benchmark_v1.1_CR-7

NZISM Security Benchmark CR-7

Cryptography

17.4.16 Using TLS

Customer

Agencies SHOULD use the current version of TLS.

10.1

RBI_CSF_Banks_v2016_10.1

Secure Mail And Messaging Systems

Secure Mail And Messaging Systems-10.1

n/a

Implement secure mail and messaging systems, including those used by bank???s partners & vendors, that include measures to prevent email spoofing, identical mail domains, protection of attachments, malicious links etc

10.2

RBI_CSF_Banks_v2016_10.2

Secure Mail And Messaging Systems

Secure Mail And Messaging Systems-10.2

n/a

Document and implement emailserver specific controls

13.1

RBI_CSF_Banks_v2016_13.1

Advanced Real-Timethreat Defenceand Management

Advanced Real-Timethreat Defenceand Management-13.1

n/a

Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise.

13.4

RBI_CSF_Banks_v2016_13.4

Advanced Real-Timethreat Defenceand Management

Advanced Real-Timethreat Defenceand Management-13.4

n/a

Consider implementingsecure web gateways with capability to deep scan network packets including secure (HTTPS, etc.) traffic passing through the web/internet gateway

RBI_ITF_NBFC_v2017

3.1.h

RBI_ITF_NBFC_v2017_3.1.h

RBI IT Framework 3.1.h

Information and Cyber Security

Public Key Infrastructure (PKI)-3.1

n/a

The IS Policy must provide for a IS framework with the following basic tenets: Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation.

RMiT_v1.0

10.68

RMiT_v1.0_10.68

RMiT 10.68

Security of Digital Services

Security of Digital Services - 10.68

Shared

n/a

A financial institution must implement additional controls to authenticate devices and users, authorise transactions and support non-repudiation and accountability for high-risk transactions or transactions above RM10,000. These measures must include, at a minimum, the following: (a) ensure transactions are performed over secured channels such as the latest version of Transport Layer Security (TLS); (b) both client and host application systems must encrypt all confidential information prior to transmission over the network; (c) adopt MFA for transactions; (d) if OTP is used as a second factor, it must be dynamic and time-bound; (e) request users to verify details of the transaction prior to execution; (f) ensure secure user and session handling management; (g) be able to capture the location of origin and destination of each transaction; (h) implement strong mutual authentication between the users' end-point devices and financial institutions' servers, such as the use of the latest version of Extended Validation SSL certificate (EV SSL); and (i) provide timely notification to customers that is sufficiently descriptive of the nature of the transaction.

SWIFT_CSCF_v2021

2.1

SWIFT_CSCF_v2021_2.1

SWIFT CSCF v2021 2.1

Reduce Attack Surface and Vulnerabilities

Internal Data Flow Security

n/a

Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related applications.

SWIFT_CSCF_v2021

2.6

SWIFT_CSCF_v2021_2.6

SWIFT CSCF v2021 2.6

Reduce Attack Surface and Vulnerabilities

Operator Session Confidentiality and Integrity

n/a

Protect the confidentiality and integrity of interactive operator sessions connecting to the local or the remote (operated by a service provider) SWIFT-related infrastructure or applications.