Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

ASC Regulatory Compliance policy definition

Copper Contributor

Hello,

can anyone give me an advice, where I can get information about technical description what really does Regulatory Compliance policy definition? (I do mean what do they really check in which scope - subscription I suppose etc.).

I was not able to find policy description e.g. for ISO27001 in documentation and FAQ.

Thx anyone for reply where to get right information.

Adam

3 Replies

@AdamKolak-6034 they're at the subscription level or higher.

 

This page describes the dynamic compliance packages (preview) feature, and talks of assigning compliance packages to subscriptions or management groups:

https://docs.microsoft.com/azure/security-center/update-regulatory-compliance-packages

 

Hope that helps.

@melvynadam  sorry, but your answer has not reach my goal.

E.G. look at ISO27001, it is composed from a lot of policies. Where I get information what exactelly does policies connected with this Initiative assigments? ... I know that such ACS default policy assigment is scoped and enabled at the subscription level.

But my point is where I got Policy definition for particular parts of this defaul ACS policy assigment.

E.G.

"A12.2.1. Controls against malware"
and its one of assessments:
"Install endpoint protection solution on virtual machines"
Where I can find such description/mapping what this assessment really technically does? (mostly probably, it checks VMs in particular subscription ... maybee windows, maybee linux ... etc.)
Hope I cleared what I seek for.
BR
Adam

 

best response confirmed by AdamKolak-6034 (Copper Contributor)
Solution

Hi @AdamKolak-6034

I'm not entirely understanding what you're looking for, but I can give you a few pointers for more information.

Take a look here for mapping information of compliance requirements to assessments/ Azure policies that help address those requirements: https://docs.microsoft.com/azure/governance/blueprints/samples/

Specifically for ISO 27001 control mapping for example, see this section: https://docs.microsoft.com/azure/governance/blueprints/samples/iso27001/control-mapping

 

To learn more about what the assessments in Security Center are doing, you can take a look at the documenation on Security Center recommendations:  https://docs.microsoft.com/en-us/azure/security-center/security-center-recommendations

There are reference pages in that section for each of the ASC recommendation types.

 

Also, specifically for the recommendation you were interested in below on installing endpoint protection, please take a look at the following article:  https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection

 

Hope that helps!

Thanks

--Ronit.

 
1 best response

Accepted Solutions
best response confirmed by AdamKolak-6034 (Copper Contributor)
Solution

Hi @AdamKolak-6034

I'm not entirely understanding what you're looking for, but I can give you a few pointers for more information.

Take a look here for mapping information of compliance requirements to assessments/ Azure policies that help address those requirements: https://docs.microsoft.com/azure/governance/blueprints/samples/

Specifically for ISO 27001 control mapping for example, see this section: https://docs.microsoft.com/azure/governance/blueprints/samples/iso27001/control-mapping

 

To learn more about what the assessments in Security Center are doing, you can take a look at the documenation on Security Center recommendations:  https://docs.microsoft.com/en-us/azure/security-center/security-center-recommendations

There are reference pages in that section for each of the ASC recommendation types.

 

Also, specifically for the recommendation you were interested in below on installing endpoint protection, please take a look at the following article:  https://docs.microsoft.com/en-us/azure/security-center/security-center-endpoint-protection

 

Hope that helps!

Thanks

--Ronit.

 

View solution in original post