HITRUST CSF 11.5 - Azure
This page lists all 87 policies in the HITRUST CSF 11.5 pack for Azure.
| Policy Name | Description | Framework Reference | Framework Specification |
|---|---|---|---|
| sql-server-azure-ad-authentication | Require Azure SQL Server to have Azure AD administrators configured | 01.a Access Control Policy | All users shall have a unique identifier for their personal and sole use so that users can be linked to and made responsible for their actions. |
| web-app-auth-settings | Require WebApp to have proper authentication settings configured | 01.a Access Control Policy | All users shall have a unique identifier for their personal and sole use so that users can be linked to and made responsible for their actions. |
| aks-azure-ad-integration | Require AKS clusters to use Azure AD integration | 01.a Access Control Policy | All users shall have a unique identifier for their personal and sole use so that users can be linked to and made responsible for their actions. |
| key-vault-access-policies | Require proper access controls for Key Vault access policies | 01.a Access Control Policy | All users shall have a unique identifier for their personal and sole use so that users can be linked to and made responsible for their actions. |
| custom-role-definition-least-privilege | Ensure custom role definitions follow least privilege principles | 01.a Access Control Policy | All users shall have a unique identifier for their personal and sole use so that users can be linked to and made responsible for their actions. |
| sql-database-least-privilege | Ensure SQL databases use appropriate SQL-specific roles instead of broad management roles | 01.a Access Control Policy | All users shall have a unique identifier for their personal and sole use so that users can be linked to and made responsible for their actions. |
| keyvault-rbac-least-privilege | Ensure Key Vaults using RBAC use appropriate Key Vault-specific roles instead of broad management roles | 01.a Access Control Policy | All users shall have a unique identifier for their personal and sole use so that users can be linked to and made responsible for their actions. |
| rbac-least-privilege | Enforce least privilege access control by prohibiting overly broad RBAC role assignments | 01.c Privilege Management | The allocation and use of privileges shall be restricted and controlled. The use of privileged utility programs shall be restricted and tightly controlled. |
| storage-account-least-privilege | Ensure storage accounts use appropriate storage-specific roles instead of broad management roles | 01.v Information Access Restriction | Access to systems and applications shall be restricted in accordance with the access control policy. |
| key-vault-purge-protection | Require Key Vault to have purge protection enabled | 06.ad04.01 Data Retention and Disposal | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| vm-requires-managed-disks | Require VMs to use managed disks only | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| blob-service-lifecycle | Require BlobServiceProperties to have versioning, change feed, and retention policies enabled | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| sql-database-tde-enabled | Require Azure SQL databases to have Transparent Data Encryption (TDE) enabled | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| aks-secret-encryption | Require AKS clusters to have secret encryption enabled | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| event-hubs-retention | Require Event Hubs to have proper retention policies configured | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| key-vault-soft-delete | Require Key Vault to have soft delete enabled with appropriate retention | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| log-analytics-retention | Require Log Analytics workspace to have appropriate retention policies | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| prohibit-hardcoded-secrets | Prohibit hardcoded secrets in code and configuration | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| storage-account-files-encryption | Require Files to have encryption enabled | 06.d Data Protection and Privacy of Covered Information | Covered information shall be protected against unauthorized disclosure, modification and destruction. For the purpose of this control, covered information includes protected health information, cardholder data, and other sensitive information. |
| resources-cost-management-tags | Require all resources to have cost management tags | 07.a Inventory of Assets | All assets shall be accounted for and have a nominated owner. |
| api-management-tls | Require API Management to have secure TLS/SSL configuration | 09.ac10.01 Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| app-service-https-only | Require App Service to enforce HTTPS only connections | 09.ac10.01 Encryption In Transit | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| application-gateway-tls | Require Application Gateway to have secure TLS configuration | 09.ac10.01 Encryption In Transit | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| resources-change-tracking-tags | Require all Azure resources to have proper tagging for change tracking | 09.b Change Management | Changes to systems, applications and supporting infrastructure shall be controlled. |
| resources-environment-tags | Require all resources to have environment tags | 09.d Separation of Development Test and Operational Environments | Development, testing and production environments shall be separated. |
| vm-scale-set-no-public-ip | Require VM Scale Sets to have no public IP addresses | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| storage-account-public-access | Require Storage Accounts to disable public blob access | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| storage-account-public-network-access | Require Storage Accounts to disable public network access | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| storage-account-firewall | Require Storage Accounts to have firewall rules configured | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| sql-server-disable-public-access | Require Azure SQL Server to disable public network access | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| sql-server-private-endpoints | Require Azure SQL databases to use private endpoints with proper network isolation | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| postgresql-private-endpoints | Require PostgreSQL databases to use private endpoints | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| mysql-private-endpoints | Require MySQL databases to use private endpoints | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| cosmos-db-private-endpoints | Require Cosmos DB account to have public network access disabled (indicating private endpoint usage) | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| aks-private-clusters | Require AKS clusters to be private clusters | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| aks-network-policies | Require AKS clusters to have network policies enabled | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| network-interface-no-public-ip | Require Network Interfaces to have no public IP address associations | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| nsg-strict-rules | Require strict Network Security Group rules with explicit allow/deny configuration | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| nsg-http-restriction | Require Network Security Groups to disallow inbound HTTP traffic | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| application-gateway-waf | Require Application Gateway to have Web Application Firewall enabled | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| vnet-ddos-protection | Require Virtual Networks to have DDoS Protection Standard enabled | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| key-vault-network-access | Require Key Vault to have network access controls configured | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| redis-cache-private-endpoints | Require Redis Cache to use private endpoints | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| nsg-disallow-public-internet-ingress | Require Network Security Groups to disallow public internet ingress | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| app-service-disable-ftp | Require App Service to block insecure FTP access | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| sql-server-audit-logging | Require Azure SQL Server to have audit logging enabled | 09.z Publicly Available Information | Publicly available information shall be protected against unauthorized modification or deletion. |
| flow-log-configuration | Require proper Flow Log configuration for network monitoring | 09.z Publicly Available Information | Publicly available information shall be protected against unauthorized modification or deletion. |
| managed-disk-customer-managed-keys | Require managed disks to use customer-managed encryption keys | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| vm-scale-set-require-managed-disks | Require VM Scale Sets to use managed disks only | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| storage-account-uses-customer-managed-keys | Require Storage Accounts to use customer-managed keys for encryption | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| storage-account-https-only | Require Storage Accounts to enforce HTTPS-only traffic | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| sql-database-customer-managed-keys | Require Azure SQL databases to use customer-managed keys for transparent data encryption | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| sql-server-encrypted-connections | Require Azure SQL Server to have encrypted connections with minimum TLS 1.2 | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| postgresql-customer-managed-keys | Require PostgreSQL flexible servers to use customer-managed keys | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| postgresql-ssl-enforcement | Require PostgreSQL databases to have SSL enforcement enabled | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| mysql-customer-managed-keys | Require MySQL flexible servers to use customer-managed keys | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| mysql-ssl-enforcement | Require MySQL databases to have SSL enforcement enabled | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| cosmos-db-customer-managed-keys | Require Cosmos DB to use customer-managed keys | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| container-registry-customer-managed-keys | Require Container Registry to use customer-managed keys | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| function-app-customer-managed-keys | Require Function Apps to use customer-managed keys | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| nsg-ssh-rdp-restriction | Require Network Security Groups to restrict SSH and RDP access | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| service-bus-customer-managed-keys | Require Service Bus namespace to use customer-managed keys for encryption | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| event-hubs-customer-managed-keys | Require Event Hub namespace to use customer-managed keys for encryption | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| key-vault-key-rotation | Require Key Vault keys to have rotation policies configured | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| key-vault-key-configuration | Require proper Key Vault key creation and configuration | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| key-vault-key-lifecycle | Require proper Key Vault key deletion and lifecycle management | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| key-vault-lifecycle | Require proper Key Vault deletion protection and lifecycle management | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| front-door-tls | Require Front Door custom domains to use secure TLS configuration | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| redis-cache-non-ssl-port | Require Redis Cache to disable non-SSL port access | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| data-factory-customer-managed-keys | Require Data Factory to use customer-managed keys for encryption | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| synapse-workspace-customer-managed-keys | Require Synapse Analytics workspaces to use customer-managed keys for encryption | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations, and risk assessments shall consider the organization’s business requirements. |
| vm-approved-images | Require pre-approved hardened VM images from trusted publishers | 10.h Control of Operational Software | The installation of software on operational systems shall be controlled. |
| custom-image-validation | Validate custom managed images meet governance and security requirements | 10.h Control of Operational Software | The installation of software on operational systems shall be controlled. |
| vm-scale-set-automatic-os-upgrades | Require VM Scale Sets to have automatic OS upgrades enabled | 10.k Change Control Procedures | Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
| aks-auto-upgrade | Require AKS clusters to have auto-upgrade enabled | 10.k Change Control Procedures | Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
| azure-firewall-threat-intelligence | Require Azure Firewall to have threat intelligence enabled | 10.m Control of Technical Vulnerabilities | Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. |
| vm-scale-set-multi-az | Require VM Scale Sets to span multiple availability zones | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization’s business continuity management. Business continuity management shall include information security processes to ensure the required level of information security during adverse situations. |
| storage-account-geo-replication | Require Storage Accounts to have geo-replication enabled for business continuity | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization’s business continuity management. Business continuity management shall include information security processes to ensure the required level of information security during adverse situations. |
| sql-database-backup-retention | Require Azure SQL Database to have backup retention configured with redundant storage | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization’s business continuity management. Business continuity management shall include information security processes to ensure the required level of information security during adverse situations. |
| sql-database-high-availability | Require Azure SQL Database to have high availability configuration | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization’s business continuity management. Business continuity management shall include information security processes to ensure the required level of information security during adverse situations. |
| cosmos-db-backup-policies | Require Cosmos DB account to have backup policies configured | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization’s business continuity management. Business continuity management shall include information security processes to ensure the required level of information security during adverse situations. |
| aks-node-pools-vm-scale-sets | Require AKS node pools to use VM Scale Sets | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization’s business continuity management. Business continuity management shall include information security processes to ensure the required level of information security during adverse situations. |
| application-gateway-multi-az | Require Application Gateway to be configured across multiple availability zones | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization’s business continuity management. Business continuity management shall include information security processes to ensure the required level of information security during adverse situations. |
| application-gateway-has-health-probes | Require Application Gateway to enable health probes | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization’s business continuity management. Business continuity management shall include information security processes to ensure the required level of information security during adverse situations. |
| load-balancer-multi-az | Require Load Balancer to be configured across multiple availability zones | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization’s business continuity management. Business continuity management shall include information security processes to ensure the required level of information security during adverse situations. |
| load-balancer-health-probes | Require Load Balancer to enable health probes | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization’s business continuity management. Business continuity management shall include information security processes to ensure the required level of information security during adverse situations. |
| service-bus-dead-letter-queue | Validate Service Bus queues have proper dead letter queue configuration | 12.a Including Information Security in the Business Continuity Management | Information security shall be a central part of the organization’s business continuity management. Business continuity management shall include information security processes to ensure the required level of information security during adverse situations. |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
