Details of the SWIFT CSP-CSCF v2022 Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in SWIFT CSP-CSCF v2022. For more information about this compliance standard, see SWIFT CSP-CSCF v2022. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

The following mappings are to the SWIFT CSP-CSCF v2022 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the SWIFT CSP-CSCF v2022 Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

1. Restrict Internet Access & Protect Critical Systems from General IT Environment

Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment.

ID: SWIFT CSCF v2022 1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Allowlist rules in your adaptive application control policy should be updated Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. AuditIfNotExists, Disabled 3.0.0
App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. AuditIfNotExists, Disabled 2.0.1
Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Audit, Deny, Disabled 3.2.1
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0
Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0

Restrict and control the allocation and usage of administrator-level operating system accounts.

ID: SWIFT CSCF v2022 1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Manual, Disabled 1.1.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with read permissions on Azure resources should be removed External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Manual, Disabled 1.1.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

ID: SWIFT CSCF v2022 1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks audit 1.0.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0

Control/Protect Internet access from operator PCs and systems within the secure zone.

ID: SWIFT CSCF v2022 1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Non-internet-facing virtual machines should be protected with network security groups Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0

Ensure the protection of the customer's connectivity infrastructure from external environment and potentially compromised elements of the general IT environment.

ID: SWIFT CSCF v2022 1.5A Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall AuditIfNotExists, Disabled 3.0.0-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. AuditIfNotExists, Disabled 3.0.0
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. AuditIfNotExists, Disabled 2.0.1
Azure DDoS Protection should be enabled DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. AuditIfNotExists, Disabled 3.0.1
Azure Key Vault should have firewall enabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Audit, Deny, Disabled 3.2.1
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Employ restrictions on external system interconnections CMA_C1155 - Employ restrictions on external system interconnections Manual, Disabled 1.1.0
Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Manual, Disabled 1.1.0
Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Manual, Disabled 1.1.0
Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Internet-facing virtual machines should be protected with network security groups Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc AuditIfNotExists, Disabled 3.0.0
IP Forwarding on your virtual machine should be disabled Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. AuditIfNotExists, Disabled 3.0.0
Key Vault should use a virtual network service endpoint This policy audits any Key Vault not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1
Storage Accounts should use a virtual network service endpoint This policy audits any Storage Account not configured to use a virtual network service endpoint. Audit, Disabled 1.0.0
Subnets should be associated with a Network Security Group Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. AuditIfNotExists, Disabled 3.0.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0

2. Reduce Attack Surface and Vulnerabilities

ID: SWIFT CSCF v2022 2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. AuditIfNotExists, Disabled 3.2.0
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Enforce random unique session identifiers CMA_0247 - Enforce random unique session identifiers Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Manual, Disabled 1.1.0
Isolate SecurID systems, Security Incident Management systems CMA_C1636 - Isolate SecurID systems, Security Incident Management systems Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Maintain availability of information CMA_C1644 - Maintain availability of information Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. AuditIfNotExists, Disabled 4.1.1

Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk.

ID: SWIFT CSCF v2022 2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Audit Windows VMs with a pending reboot Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. auditIfNotExists 2.0.0
Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Manual, Disabled 1.1.1
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Disseminate security alerts to personnel CMA_C1705 - Disseminate security alerts to personnel Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
System updates on virtual machine scale sets should be installed Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. AuditIfNotExists, Disabled 3.0.0
System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 4.0.0
Use automated mechanisms for security alerts CMA_C1707 - Use automated mechanisms for security alerts Manual, Disabled 1.1.0

ID: SWIFT CSCF v2022 2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 AuditIfNotExists, Disabled 3.1.0
Audit Windows machines that contain certificates expiring within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. auditIfNotExists 2.0.0
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 2.0.0
Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Manual, Disabled 1.1.0
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
Retain previous versions of baseline configs CMA_C1181 - Retain previous versions of baseline configs Manual, Disabled 1.1.0
VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Audit, Disabled, Deny 1.1.0

Ensure the confidentiality, integrity, and mutual authenticity of data flows between local or remote SWIFT infrastructure components and the back-office first hops they connect to.

ID: SWIFT CSCF v2022 2.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Notify users of system logon or access CMA_0382 - Notify users of system logon or access Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

Back-office Data Flow Security

ID: SWIFT CSCF v2022 2.4A Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. AuditIfNotExists, Disabled 3.2.0
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. AuditIfNotExists, Disabled 4.1.1

ID: SWIFT CSCF v2022 2.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

External Transmission Data Protection

ID: SWIFT CSCF v2022 2.5A Ownership: Customer

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExists 1.0.0
Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks audit 1.0.0
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0
Geo-redundant storage should be enabled for Storage Accounts Use geo-redundancy to create highly available applications Audit, Disabled 1.0.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison AuditIfNotExists, Disabled 2.0.3

ID: SWIFT CSCF v2022 2.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Manual, Disabled 1.1.0
Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. AuditIfNotExists, Disabled 4.1.1
Windows machines should meet requirements for 'Security Options - Interactive Logon' Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. AuditIfNotExists, Disabled 3.0.0

Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results.

ID: SWIFT CSCF v2022 2.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Manual, Disabled 1.1.1
Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Manual, Disabled 1.1.0
Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Manual, Disabled 1.1.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Vulnerabilities in container security configurations should be remediated Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. AuditIfNotExists, Disabled 3.0.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. AuditIfNotExists, Disabled 3.0.0

Ensure a consistent and effective approach for the customers' messaging monitoring.

ID: SWIFT CSCF v2022 2.8.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Define and document government oversight CMA_C1587 - Define and document government oversight Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities.

ID: SWIFT CSCF v2022 2.8A Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0

Ensure outbound transaction activity within the expected bounds of normal business.

ID: SWIFT CSCF v2022 2.9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

Restrict transaction activity to validated and approved business counterparties.

ID: SWIFT CSCF v2022 2.11A Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0

3. Physically Secure the Environment

Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage.

ID: SWIFT CSCF v2022 3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit VMs that do not use managed disks This policy audits VMs that do not use managed disks audit 1.0.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Install an alarm system CMA_0338 - Install an alarm system Manual, Disabled 1.1.0
Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0

4. Prevent Compromise of Credentials

Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy.

ID: SWIFT CSCF v2022 4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords AuditIfNotExists, Disabled 3.1.0
Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords AuditIfNotExists, Disabled 3.1.0
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not have the maximum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not have the minimum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled AuditIfNotExists, Disabled 2.0.0
Audit Windows machines that do not restrict the minimum password length to specified number of characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters AuditIfNotExists, Disabled 2.1.0
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 3.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

ID: SWIFT CSCF v2022 4.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with read permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0

5. Manage Identities and Segregate Privileges

Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts.

ID: SWIFT CSCF v2022 5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Assign account managers CMA_0015 - Assign account managers Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Audit Windows machines that contain certificates expiring within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. auditIfNotExists 2.0.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Manual, Disabled 1.1.0
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Document access privileges CMA_0186 - Document access privileges Manual, Disabled 1.1.0
Document separation of duties CMA_0204 - Document separation of duties Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Establish conditions for role membership CMA_0269 - Establish conditions for role membership Manual, Disabled 1.1.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with read permissions on Azure resources should be removed External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0
Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0

Ensure the proper management, tracking, and use of connected and disconnected hardware authentication or personal tokens (when tokens are used).

ID: SWIFT CSCF v2022 5.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Distribute authenticators CMA_0184 - Distribute authenticators Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Manual, Disabled 1.1.0
Management ports of virtual machines should be protected with just-in-time network access control Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

To the extent permitted and practicable, ensure the trustworthiness of staff operating the local SWIFT environment by performing regular staff screening.

ID: SWIFT CSCF v2022 5.3A Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Manual, Disabled 1.1.0
Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Manual, Disabled 1.1.0
Implement personnel screening CMA_0322 - Implement personnel screening Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Manual, Disabled 1.1.0

Protect physically and logically the repository of recorded passwords.

ID: SWIFT CSCF v2022 5.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption AuditIfNotExists, Disabled 2.0.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Key vaults should have deletion protection enabled Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. Audit, Deny, Disabled 2.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

6. Detect Anomalous Activity to Systems or Transaction Records

Ensure that local SWIFT infrastructure is protected against malware and act upon results.

ID: SWIFT CSCF v2022 6.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Manual, Disabled 1.1.1
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. AuditIfNotExists, Disabled 3.0.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Microsoft Antimalware for Azure should be configured to automatically update protection signatures This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. AuditIfNotExists, Disabled 1.0.0
Microsoft IaaSAntimalware extension should be deployed on Windows servers This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. AuditIfNotExists, Disabled 1.1.0
Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.0.0
Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform threat modeling CMA_0392 - Perform threat modeling Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review exploit protection events CMA_0472 - Review exploit protection events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

ID: SWIFT CSCF v2022 6.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

Ensure the integrity of the database records for the SWIFT messaging interface or the customer connector and act upon results.

ID: SWIFT CSCF v2022 6.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

Record security events and detect anomalous actions and operations within the local SWIFT environment.

ID: SWIFT CSCF v2022 6.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Log Analytics Extension should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. AuditIfNotExists, Disabled 2.0.1-preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Activity log should be retained for at least one year This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). AuditIfNotExists, Disabled 1.0.0
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
All flow log resources should be in enabled state Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.0.1
App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. AuditIfNotExists, Disabled 2.0.1
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExists 1.0.0
Auto provisioning of the Log Analytics agent should be enabled on your subscription To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. AuditIfNotExists, Disabled 1.0.1
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. AuditIfNotExists, Disabled 3.0.0
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists, Disabled 1.0.0
Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Monitor Logs clusters should be encrypted with customer-managed key Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists, Disabled 2.0.0
Azure Monitor solution 'Security and Audit' must be deployed This policy ensures that Security and Audit is deployed. AuditIfNotExists, Disabled 1.0.0
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Flow logs should be configured for every network security group Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Audit, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. AuditIfNotExists, Disabled 2.0.1
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Network Watcher flow logs should have traffic analytics enabled Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. Audit, Disabled 1.0.1
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Provide real-time alerts for audit event failures CMA_C1114 - Provide real-time alerts for audit event failures Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.1.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review exploit protection events CMA_0472 - Review exploit protection events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. audit, Audit, deny, Deny, disabled, Disabled 1.1.0
Storage account containing the container with activity logs must be encrypted with BYOK This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. AuditIfNotExists, Disabled 1.0.0
The Log Analytics extension should be installed on Virtual Machine Scale Sets This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1
Virtual machines should have the Log Analytics extension installed This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. AuditIfNotExists, Disabled 1.0.1

Detect and contain anomalous network activity into and within the local or remote SWIFT environment.

ID: SWIFT CSCF v2022 6.5A Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. AuditIfNotExists, Disabled 1.0.2-preview
Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface AuditIfNotExists, Disabled 3.0.0
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Azure Defender for App Service should be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. AuditIfNotExists, Disabled 1.0.3
Azure Defender for Key Vault should be enabled Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. AuditIfNotExists, Disabled 1.0.3
Azure Defender for servers should be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.3
Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. AuditIfNotExists, Disabled 1.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. AuditIfNotExists, Disabled 3.0.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0

7. Plan for Incident Response and Information Sharing

Ensure a consistent and effective approach for the management of cyber incidents.

ID: SWIFT CSCF v2022 7.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address information security issues CMA_C1742 - Address information security issues Manual, Disabled 1.1.0
Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. AuditIfNotExists, Disabled 1.0.1
Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. AuditIfNotExists, Disabled 2.0.0
Identify classes of Incidents and Actions taken CMA_C1365 - Identify classes of Incidents and Actions taken Manual, Disabled 1.1.0
Incorporate simulated events into incident response training CMA_C1356 - Incorporate simulated events into incident response training Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Subscriptions should have a contact email address for security issues To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. AuditIfNotExists, Disabled 1.0.1

Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access.

ID: SWIFT CSCF v2022 7.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide role-based practical exercises CMA_C1096 - Provide role-based practical exercises Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide role-based training on suspicious activities CMA_C1097 - Provide role-based training on suspicious activities Manual, Disabled 1.1.0
Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0

Validate the operational security configuration and identify security gaps by performing penetration testing.

ID: SWIFT CSCF v2022 7.3A Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Manual, Disabled 1.1.0
Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Manual, Disabled 1.1.0

Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios.

ID: SWIFT CSCF v2022 7.4A Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Implement the risk management strategy CMA_C1744 - Implement the risk management strategy Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Manual, Disabled 1.1.0

8. Set and Monitor Performance

Ensure availability by formally setting and monitoring the objectives to be achieved

ID: SWIFT CSCF v2022 8.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Manual, Disabled 1.1.0
Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Manual, Disabled 1.1.0

Ensure availability, capacity, and quality of services to customers

ID: SWIFT CSCF v2022 8.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct capacity planning CMA_C1252 - Conduct capacity planning Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Create alternative actions for identified anomalies CMA_C1711 - Create alternative actions for identified anomalies Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Notify personnel of any failed security verification tests CMA_C1710 - Notify personnel of any failed security verification tests Manual, Disabled 1.1.0
Perform security function verification at a defined frequency CMA_C1709 - Perform security function verification at a defined frequency Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0

Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live.

ID: SWIFT CSCF v2022 8.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Manual, Disabled 1.1.0
Develop and document application security requirements CMA_0148 - Develop and document application security requirements Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Establish a secure software development program CMA_0259 - Establish a secure software development program Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Manual, Disabled 1.1.0
Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Manual, Disabled 1.1.0
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0
Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0

9. Ensure Availability through Resilience

Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction.

ID: SWIFT CSCF v2022 9.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Manual, Disabled 1.1.0
Distribute policies and procedures CMA_0185 - Distribute policies and procedures Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Provide contingency training CMA_0412 - Provide contingency training Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

Providers must ensure that the service remains available for customers in the event of a site disaster.

ID: SWIFT CSCF v2022 9.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Manual, Disabled 1.1.0
Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Manual, Disabled 1.1.0
Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Manual, Disabled 1.1.0
Establish alternate storage site that facilitates recovery operations CMA_C1270 - Establish alternate storage site that facilitates recovery operations Manual, Disabled 1.1.0
Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Manual, Disabled 1.1.0
Establish an alternate processing site CMA_0262 - Establish an alternate processing site Manual, Disabled 1.1.0
Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Manual, Disabled 1.1.0
Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Manual, Disabled 1.1.0
Prepare alternate processing site for use as operational site CMA_C1278 - Prepare alternate processing site for use as operational site Manual, Disabled 1.1.0
Recover and reconstitute resources after any disruption CMA_C1295 - Recover and reconstitute resources after any disruption Manual, Disabled 1.1.1
Restore resources to operational state CMA_C1297 - Restore resources to operational state Manual, Disabled 1.1.1
Separately store backup information CMA_C1293 - Separately store backup information Manual, Disabled 1.1.0
Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Manual, Disabled 1.1.0

Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident.

ID: SWIFT CSCF v2022 9.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Employ automatic emergency lighting CMA_0209 - Employ automatic emergency lighting Manual, Disabled 1.1.0
Implement a penetration testing methodology CMA_0306 - Implement a penetration testing methodology Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0

ID: SWIFT CSCF v2022 9.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Manual, Disabled 1.1.0
Conduct capacity planning CMA_C1252 - Conduct capacity planning Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Manual, Disabled 1.1.0

10. Be Ready in case of Major Disaster

Business continuity is ensured through a documented plan communicated to the potentially affected parties (service bureau and customers).

ID: SWIFT CSCF v2022 10.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Manual, Disabled 1.1.0
Develop contingency plan CMA_C1244 - Develop contingency plan Manual, Disabled 1.1.0
Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Manual, Disabled 1.1.0
Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Manual, Disabled 1.1.0
Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Manual, Disabled 1.1.0

11. Monitor in case of Major Disaster

Ensure a consistent and effective approach for the event monitoring and escalation.

ID: SWIFT CSCF v2022 11.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0

Ensure a consistent and effective approach for the management of incidents (Problem Management).

ID: SWIFT CSCF v2022 11.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Conduct incident response testing CMA_0060 - Conduct incident response testing Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Identify classes of Incidents and Actions taken CMA_C1365 - Identify classes of Incidents and Actions taken Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Incorporate simulated events into incident response training CMA_C1356 - Incorporate simulated events into incident response training Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0
Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Manual, Disabled 1.1.0
Run simulation attacks CMA_0486 - Run simulation attacks Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

Ensure an adequate escalation of operational malfunctions in case of customer impact.

ID: SWIFT CSCF v2022 11.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Manual, Disabled 1.1.0
Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Establish relationship between incident response capability and external providers CMA_C1376 - Establish relationship between incident response capability and external providers Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

Effective support is offered to customers in case they face problems during their business hours.

ID: SWIFT CSCF v2022 11.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Document security operations CMA_0202 - Document security operations Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Establish relationship between incident response capability and external providers CMA_C1376 - Establish relationship between incident response capability and external providers Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Identify incident response personnel CMA_0301 - Identify incident response personnel Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

12. Ensure Knowledge is Available

Ensure quality of service to customers through SWIFT certified employees.

ID: SWIFT CSCF v2022 12.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0

Next steps

Additional articles about Azure Policy: