RC01 |
Regulatory compliance |
R01 |
Microsoft Purview must be used to monitor sensitive data. |
Regulatory compliance |
Workload teams, platform team |
Immediate action by affected team, compliance training |
Microsoft Purview |
RC02 |
Regulatory compliance |
R01 |
Daily sensitive data compliance reports must be generated from Microsoft Purview. |
Regulatory compliance |
Workload teams, platform team |
Resolution within one day, confirmation audit |
Microsoft Purview |
SC01 |
Security |
R02 |
Multifactor authentication (MFA) must be enabled for all users. |
Mitigate data breaches and unauthorized access |
Azure users |
Revoke user access |
Microsoft Entra ID Conditional Access |
SC02 |
Security |
R02 |
Access reviews must be conducted monthly in Microsoft Entra ID Governance. |
Ensure data and service integrity |
Azure users |
Immediate access revocation for noncompliance |
ID Governance |
SC03 |
Security |
R03 |
Teams must use the specified GitHub organization for secure hosting of all software and infrastructure code. |
Ensure secure and centralized management of code repositories |
Development teams |
Transfer of unauthorized repositories to the specified GitHub organization and potential disciplinary actions for noncompliance |
GitHub audit log |
SC04 |
Security |
R03 |
Teams that use libraries from public sources must adopt the quarantine pattern. |
Ensure libraries are safe and compliant before integration into the development process |
Development teams |
Removal of noncompliant libraries and review of integration practices for affected projects |
Manual audit (monthly) |
CM01 |
Cost management |
R04 |
Workload teams must set budgets alerts at the resource group level. |
Prevent overspending |
Workload teams, platform team |
Immediate reviews, adjustments for alerts |
Microsoft Cost Management |
CM02 |
Cost management |
R04 |
Azure Advisor cost recommendations must be reviewed. |
Optimize cloud usage |
Workload teams, platform team |
Mandatory optimization audits after 60 days |
Advisor |
OP01 |
Operations |
R05 |
Production workloads should have an active-passive architecture across regions. |
Ensure service continuity |
Workload teams |
Architecture evaluations, biannual reviews |
Manual audit (per production release) |
OP02 |
Operations |
R05 |
All mission-critical workloads must implement a cross-region active-active architecture. |
Ensure service continuity |
Mission-critical workload teams |
Updates within 90 days, progress reviews |
Manual audit (per production release) |
DG01 |
Data |
R06 |
Encryption in transit and at rest must be applied to all sensitive data. |
Protect sensitive data |
Workload teams |
Immediate encryption enforcement and security training |
Azure Policy |
DG02 |
Data |
R06 |
Data lifecycle policies must be enabled in Microsoft Purview for all sensitive data. |
Manage the data lifecycle |
Workload teams |
Implementation within 60 days, quarterly audits |
Microsoft Purview |
RM01 |
Resource management |
R07 |
Bicep must be used to deploy resources. |
Standardize resource provisioning |
Workload teams, platform team |
Immediate Bicep transition plan |
Continuous integration and continuous delivery (CI/CD) pipeline |
RM02 |
Resource management |
R07 |
Tags must be enforced on all cloud resources using Azure Policy. |
Facilitate resource tracking |
All cloud resources |
Correct tagging within 30 days |
Azure Policy |
AI01 |
AI |
R08 |
AI content filtering configuration must be set to medium or higher. |
Mitigate AI harmful outputs |
Workload teams |
Immediate corrective measures |
Azure OpenAI Service |
AI02 |
AI |
R08 |
Customer-facing AI systems must be red-teamed monthly. |
Identify AI biases |
AI model teams |
Immediate review, corrective actions for misses |
Manual audit (monthly) |