The most up-to-date Azure Security Benchmark is available here.
Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards.
GS-1: Define asset management and data protection strategy
Azure ID
CIS Controls v7.1 ID(s)
NIST SP 800-53 r4 ID(s)
GS-1
2, 13
SC, AC
Ensure you document and communicate a clear strategy for continuous monitoring and protection of systems and data. Prioritize discovery, assessment, protection, and monitoring of business-critical data and systems.
This strategy should include documented guidance, policy, and standards for the following elements:
Data classification standard in accordance with the business risks
Security organization visibility into risks and asset inventory
Security organization approval of Azure services for use
Security of assets through their lifecycle
Required access control strategy in accordance with organizational data classification
Use of Azure native and third party data protection capabilities
Data encryption requirements for in-transit and at-rest use cases
Appropriate cryptographic standards
For more information, see the following references:
Establish an enterprise-wide strategy to segmenting access to assets using a combination of identity, network, application, subscription, management group, and other controls.
Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.
Ensure that the segmentation strategy is implemented consistently across control types including network security, identity and access models, and application permission/access models, and human process controls.
Continuously measure and mitigate risks to your individual assets and the environment they are hosted in. Prioritize high value assets and highly-exposed attack surfaces, such as published applications, network ingress and egress points, user and administrator endpoints, etc.
GS-4: Align organization roles, responsibilities, and accountabilities
Azure ID
CIS Controls v7.1 ID(s)
NIST SP 800-53 r4 ID(s)
GS-4
N/A
PL, PM
Ensure that you document and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud.
Establish a logging and threat response strategy to rapidly detect and remediate threats while meeting compliance requirements. Prioritize providing analysts with high quality alerts and seamless experiences so that they can focus on threats rather than integration and manual steps.
This strategy should include documented guidance, policy, and standards for the following elements:
The security operations (SecOps) organization's role and responsibilities
A well-defined incident response process aligning with NIST or another industry framework
Log capture and retention to support threat detection, incident response, and compliance needs
Centralized visibility of and correlation information about threats, using SIEM, native Azure capabilities, and other sources
Communication and notification plan with your customers, suppliers, and public parties of interest
Use of Azure native and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication
Processes for handling incidents and post-incident activities, such as lessons learned and evidence retention
For more information, see the following references:
This module focuses on enabling administrators to effectively plan, implement, and manage security governance in Azure, ensuring compliance with organizational policies and best practices.
Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities.