Azure – Update to dynamic compliance package with the updated Azure CIS 1.1.0 policy

As you may already know, Azure comes with a set of policies to help you meet compliance and security standards (ISO 27001, SOC, PCI DSS…) and requirements.

As you should have been already using it (and if not this is a good day to start Smile), you have to be aware that the Azure CIS policy has been updated to version 1.1.0 to provide dynamic update to the policy rule and you are required to update your Azure Security policy configuration to include it.

You can download the new/updated Azure CIS policy benchmark from https://www.cisecurity.org/benchmark/azure/ to register and get a link to the benchmark (bottom of the page – the picture below has the link to the benchmark but you will need to be registered first, if not yet already)

image[6]

The previous version of the Azure CIS was relying on static set of rules; the new version the Azure Security policy will be updated over the time dynamically,

To update your Azure Security policy to include the new Azure CIS 1.1.0 with the dynamic update, logon to your Azure portal (https://portal.azure.com/) and go to the Azure Security Center configuration blade

image_thumb[2]

Then go to the Security Policy blade and select the management group (recommended) or the subscription you want to update with the new Azure CIS policy

image_thumb[3]  image_thumb[4]

Finally click the Add more standards button available in the Industry & regulatory standards section to add the new Azure CIS

image_thumb[5]  image_thumb[6]

When deploying the new policy, review the different settings to match your own requirements and deploy

image_thumb[8]

Benoit Hamet
Benoit Hamet
Benoit is working on Microsoft collaborative technologies He has been awarded as MVP for more than 12 years Currently MVP on Office 365 after being awarded on SharePoint (2011-2012) and Windows client & server (2002-2007) Speaker at various Microsoft events (TechDays, TechNet seminars) and Quest Software He works on on-premises (Active Directory, RADIUS/NPS, Exchange, Skype for Business, SharePoint, SQL, Terminal Server, Windows client and Windows Server) or online (Azure, Intune, Office 365, Exchange Online, SharePoint Online, Skype for Business Online, Teams) technologies