Security Control V2: Governance and Strategy

Note

The most up-to-date Azure Security Benchmark is available here.

Governance and Strategy provides guidance for ensuring a coherent security strategy and documented governance approach to guide and sustain security assurance, including establishing roles and responsibilities for the different cloud security functions, unified technical strategy, and supporting policies and standards.

GS-1: Define asset management and data protection strategy

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
GS-1 2, 13 SC, AC

Ensure you document and communicate a clear strategy for continuous monitoring and protection of systems and data. Prioritize discovery, assessment, protection, and monitoring of business-critical data and systems.

This strategy should include documented guidance, policy, and standards for the following elements:

  • Data classification standard in accordance with the business risks

  • Security organization visibility into risks and asset inventory

  • Security organization approval of Azure services for use

  • Security of assets through their lifecycle

  • Required access control strategy in accordance with organizational data classification

  • Use of Azure native and third party data protection capabilities

  • Data encryption requirements for in-transit and at-rest use cases

  • Appropriate cryptographic standards

For more information, see the following references:

Responsibility: Customer

Customer Security Stakeholders (Learn more):

GS-2: Define enterprise segmentation strategy

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
GS-2 4, 9, 16 AC, CA, SC

Establish an enterprise-wide strategy to segmenting access to assets using a combination of identity, network, application, subscription, management group, and other controls.

Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.

Ensure that the segmentation strategy is implemented consistently across control types including network security, identity and access models, and application permission/access models, and human process controls.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

GS-3: Define security posture management strategy

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
GS-3 20, 3, 5 RA, CM, SC

Continuously measure and mitigate risks to your individual assets and the environment they are hosted in. Prioritize high value assets and highly-exposed attack surfaces, such as published applications, network ingress and egress points, user and administrator endpoints, etc.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

GS-4: Align organization roles, responsibilities, and accountabilities

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
GS-4 N/A PL, PM

Ensure that you document and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

GS-5: Define network security strategy

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
GS-5 9 CA, SC

Establish an Azure network security approach as part of your organization's overall security access control strategy.

This strategy should include documented guidance, policy, and standards for the following elements:

  • Centralized network management and security responsibility

  • Virtual network segmentation model aligned with the enterprise segmentation strategy

  • Remediation strategy in different threat and attack scenarios

  • Internet edge and ingress and egress strategy

  • Hybrid cloud and on-premises interconnectivity strategy

  • Up-to-date network security artifacts (such as network diagrams, reference network architecture)

For more information, see the following references:

Responsibility: Customer

Customer Security Stakeholders (Learn more):

GS-6: Define identity and privileged access strategy

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
GS-6 16, 4 AC, AU, SC

Establish an Azure identity and privileged access approaches as part of your organization's overall security access control strategy.

This strategy should include documented guidance, policy, and standards for the following elements:

  • A centralized identity and authentication system and its interconnectivity with other internal and external identity systems

  • Strong authentication methods in different use cases and conditions

  • Protection of highly privileged users

  • Anomaly user activities monitoring and handling

  • User identity and access review and reconciliation process

For more information, see the following references:

Responsibility: Customer

Customer Security Stakeholders (Learn more):

GS-7: Define logging and threat response strategy

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
GS-7 19 IR, AU, RA, SC

Establish a logging and threat response strategy to rapidly detect and remediate threats while meeting compliance requirements. Prioritize providing analysts with high quality alerts and seamless experiences so that they can focus on threats rather than integration and manual steps.

This strategy should include documented guidance, policy, and standards for the following elements:

  • The security operations (SecOps) organization's role and responsibilities

  • A well-defined incident response process aligning with NIST or another industry framework

  • Log capture and retention to support threat detection, incident response, and compliance needs

  • Centralized visibility of and correlation information about threats, using SIEM, native Azure capabilities, and other sources

  • Communication and notification plan with your customers, suppliers, and public parties of interest

  • Use of Azure native and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication

  • Processes for handling incidents and post-incident activities, such as lessons learned and evidence retention

For more information, see the following references:

Responsibility: Customer

Customer Security Stakeholders (Learn more):

GS-8: Define backup and recovery strategy

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
GS-8 10 CP

Establish an Azure backup and recovery strategy for your organization.

This strategy should include documented guidance, policy, and standards for the following elements:

  • Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency objectives

  • Redundancy design in your applications and infrastructure setup

  • Protection of backup using access control and data encryption

For more information, see the following references:

Responsibility: Customer

Customer Security Stakeholders (Learn more):