The Microsoft Cloud for Sovereignty Policy Portfolio's Policy Initiatives aid in customizing deployments to reduce the time needed to audit environments and help meet established regulatory compliance frameworks and government requirements.
The first built-in regulatory compliance initiative that Microsoft Cloud for Sovereignty maintains is in support of the cloud-specific technical requirements within the Baseline informatiebeveiliging overheid (BIO), the foundational standards framework for information security within all levels of the Netherlands government (central government, municipalities, provinces and water boards). For more information on the BIO cloud theme initiative, go to Azure Built-in Policy Initiatives.
Microsoft Cloud for Sovereignty makes several custom policy initiatives accessible through this repository. In execution of the Italian Cloud Strategy, which contains the strategic guidelines for migration to the cloud of data and digital services of the Italian Public Administration, the National Cybersecurity Agency (ACN) issued a set of requirements for the qualification of Cloud Services and Cloud Services Infrastructures. In addition, this repository contains policy initiatives for Cloud Security ALliance (CSA) Cloud Control Matrix (CCM) v4 and the sovereignty baseline policy initiatives. The policy initiatives and files contained in this repository are intended to serve as a starting point to map such requirements to an Azure implementation. Please note that these files are not intended to be final or comprehensive solutions, but rather a helpful resource to jumpstart your efforts.
Important - Organizations are wholly responsible for ensuring their own compliance with all applicable laws and regulations. The information provided in this document and repository does not constitute legal advice, and organizations should consult their legal advisors for any questions regarding regulatory compliance.
The evidence against each security measure and its corresponding security controls shall be assessed to determine whether it meets the security requirements. If the security requirements are not fulfilled, the outstanding risks shall be identified. The SAA and/or NCSP shall identify any additional security measures and controls needed to attain an acceptable residual risk, which would be implemented by the NCSP and/or CSP.
Note - These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
To assist with implementation of custom initiatives, see the New-PolicySets.ps1 PowerShell script under our scripts folder.
To ensure your data is secure and your privacy controls are addressed, we recommend that you follow a set of best practices when deploying into Azure:
Protecting your data also requires that all aspects of your security and compliance program include your cloud infrastructure and data. The following guidance can help you to secure your deployment.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.
Microsoft Legal Notice: The Microsoft (MS) Cloud for Sovereignty Policy Portfolio (1) is not designed, intended, or made available as legal services, (2) is not intended to substitute for professional legal counsel or judgment, and (3) should not be used in place of consulting with a qualified professional legal professional for your specific needs. Microsoft makes no warranty that the Microsoft (MS) Cloud for Sovereignty Policy Portfolio is accurate, up-to-date, or complete. You are wholly responsible for ensuring your own compliance with all applicable laws and regulations.