| Source | Azure Portal | ||||||
| Display name | Microsoft Managed Control 1706 - Security Alerts & Advisories | ||||||
| Id | f475ee0e-f560-4c9b-876b-04a77460a404 | ||||||
| Version | 1.0.1 Details on versioning |
||||||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||||||
| Category | Regulatory Compliance Microsoft Learn |
||||||
| Description | Microsoft implements this System and Information Integrity control | ||||||
| Additional metadata |
Name/Id: ACF1706 / Microsoft Managed Control 1706 Category: System and Information Integrity Title: Security Alerts, Advisories, And Directives - Directives Implementation And Noncompliance Notifications Ownership: Customer, Microsoft Description: The organization: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. Requirements: Azure conducts an analysis on the list of security directives provided by the C+AI Security team to confirm applicability to Azure assets. On completion of the analysis, the Azure service teams prepare the Final Monthly Patch List specifying the vulnerabilities that must be patched. Security remediation are implemented as follows: * Remediation for High risk vulnerabilities are implemented within thirty (30) days of the vulnerability mitigation being released by the vendor. * Remediation for Medium Risk vulnerabilities are implemented within ninety (90) days of vulnerability the vulnerability mitigation being released by the vendor. * Low Risk vulnerabilities are risk-reviewed by Azure Security. Many Low Risk scan results are determined by Azure Security to pose no risk to Azure. In this case an exception is filed, and the result is not remediated. If the result is determined to pose any risk to Azure, remediation is implemented within one hundred and eighty (180) days. Azure Security verifies degree of compliance using vulnerability scanners deployed in Azure. Servers On receipt of the list of updates from MSRC, the RDOS and IPAK teams conduct an analysis to determine the applicability of the patches for managed OS with the intent that all patches excepting those that are specifically not applicable to the code running on their servers are applied. If the RDOS and IPAK teams decide not to apply a patch as it is not applicable for the base images used in the environment, then the RDOS and IPAK teams create a patch exception request ticket in DevOps. This request is then reviewed and approved by the Azure Security team. A justification for not selecting the patches including the details of the non-applicable patches is documented in DevOps. The patch is deemed applicable even if a process that could exploit the vulnerability is not running but is installed in the environment. Network Devices For network devices, hardware vendors make Azure Networking aware of security vulnerabilities on their products via e-mail. Azure Networking logs the email into the ticketing system and performs analysis to evaluate possible risks and mitigations. Azure Networking has dedicated support engineers from the major hardware vendors, including, but not limited to, Cisco, Juniper, and F5, that assist with the analysis and determination of the course of action. The issue is tracked by Azure Networking to completion. |
||||||
| Mode | Indexed | ||||||
| Type | Static | ||||||
| Preview | False | ||||||
| Deprecated | False | ||||||
| Effect | Fixed audit |
||||||
| RBAC role(s) | none | ||||||
| Rule aliases | none | ||||||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||||||
| Compliance | Not a Compliance control | ||||||
| Initiatives usage | none | ||||||
| History |
|
||||||
| JSON compare |
compare mode:
version left:
version right:
|
||||||
| JSON |
|