FSI policy controls
An important addition in the FSI landing zones over Azure landing zone (ALZ) is the set of policy initiatives aligned to key control objectives from customers. These policy initiatives are built on top of the default controls provided by ALZ and the Microsoft cloud security benchmark.
You can also use more control frameworks based on the targeted workloads. Furthermore, a library of regulatory compliance built-in policies is available here. In financial services, these cover foundations such as PCI DSS 4.0, NIST SP 800-53 Rev. 5, and SWIFT CSP-CSCF v2022.
| # | Control objective | Controls | Implemented? |
|---|---|---|---|
| SO-01 | Customer data must be stored and processed entirely in data centers that reside in approved geopolitical regions based upon customer-defined requirements. | Data residency | In Preview |
| SO-03 | Customer-defined sensitive customer data must only be accessible in an encrypted manner to cloud and managed service operators. | Confidential computing | In Preview |
| SO-04 | The customer must have exclusive control over deciding which identities can access keys used to decrypt customer-defined sensitive data. | Customer-managed keys | In Preview |
| TR-01 | Customer must have visibility into deep information about what happens in their environment. | Logging | Generally Available |
| TR-02 | Customer must have visibility to Microsoft actions and changes. | Transparency Logs, RBAC transparency, Policy change | |
| TR-03 | Customers must approve the access of customer data by cloud and managed service operators. | Customer Lockbox | |
| TR-04 | Customers are notified consistently of incidents and outages | Incident hub | |
| RE-01 | The customer must ensure multi-region and active-active resiliency across all workloads | Zonal and Geo-replication, scheduled updates | |
| SD-01 | The customer must limit the deployable services to an allow-listed set | Allowed services list | |
| SD-02 | Cloud services should be configured in a closed or secure-by-default state, and manually configured to allow connections and usage. | Secure-by-default parameters | |
| SD-03 | Services must provide private access for sensitive functions. | Private Access, Corp LZ | |
| SD-04 | Local authentication must not be allowed for any resources. | Disable local authentication |