Compliance Flashcards
Compliance programme: CJIS
Criminal Justice Information Services - those accessing CJ Db need to adhere to their security policy.
Compliance programme: CSA
Cloud Security Alliance - 3rd party assessment of cloud providers security posture
Compliance programme: GDPR
Euro privacy law offering goods in Europe or deals with data regarding EU residents.
Compliance programme: HIPAA***
Health Insurance and Accountability Act - US federal law regulating patient Protected Health info
Compliance programme: MTCS Singapore
Singapore common standard addressing customer concerns re confidential in the cloud
Compliance programme: NIST
National Institute of Standards and Technology
Note: National, therefore US only.
Voluntary framework consisting of guidelines, best practices, and standards to manage cyber security.
Compliance programme: UK Government G Cloud
Cloud computing certification for services used by UK Governement entities.
Compliance programme:
FIPS 140-2
US and Canadian govt standard specifying security requirements for cryptographics modules that protect sensitive info
Azure Trust Center
Public web portal with easy access to privacy, security and compliance info
Can see info on GDPR and others.
Azure Policy
Service to create, assign and manage polcies
Policies - rules. Service compares business rules to resources. E.g. limit size of VMs that can be created.
Rules are described in JSON are known as Policy definitions.
Creating Azure Policy (3 steps)
Definition - what is the policy (rule)
Scope - what resources/level does it apply to (can be at different levels from RG to resource. Policy will be inherited.
Evaluation results - see which resources are out of policy
Management Groups
Containers for managing subsriptions (accounts)
Good for applying policies to several subscriptions.
Any Azure AD user can create one. Can have upto 10,000 in an organisation.
New subscriptions automatically added to Root group.
Azure Blueprints
Group related resources, deploy repeatedly and maintain compliance. Think of plans and structure.
- Create a draft
- Publish version
- Assign to the environment
To help you with auditing, traceability, and compliance of your deployments.
Just as a blueprint allows an engineer or an architect to sketch a project’s design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements.
Blueprints are a declarative way to orchestrate the deployment of various resource templates
When they are updated, you must manually update the assignment for it to take effect.
Assigned versions remain in place when blueprint deleted.
Blueprints must be unassigned before deletion.
Compliance Manager
Enables you to assign, track, and record compliance and assessment-related activities, which can help your organization achieve your compliance goals.
Provides a Compliance Score to help you track your progress. See which products are in scope, and what controls they have vs whatever policy e.g. GDPR. Tests and controls are done for both Microsoft and our side.
Provides a secure repository in which to upload and manage evidence regarding compliance.
Iniatitives
An Azure initiative is a collection of Azure policy definitions that are grouped together towards a specific goal or purpose in mind.
Can be assigned to multiple scopes
Can only group policies within the same subscription
