New chat

Anonymous

What are the exceptions and management responses?

Virtual Information Security Officer logo
Virtual Information Security Officer

The SOC 2 Type II report for Azure, Dynamics 365, and Online Services (Public & Government) for the period April 1, 2022, to March 31, 2023, contains the following exceptions and management responses:

  1. Control ID OA - 15 (Password Rotation):

    • Exception Noted: 28 out of 39 sampled network devices were not rotated as per the defined password rotation cadence.
    • Management Response: Management is committed to implementing a process to rotate passwords and address any bugs causing failures in the automated workflow. Despite the lack of evidence for password rotation, management deemed there was no risk as the affected accounts can only be accessed when the central authentication system is down.

  2. Control ID OA - 20 (Break-Glass Account Alerts):

    • Exception Noted: For two of four production domains containing break-glass accounts, configurations for alert generation were missing. As a result, changes to the production environment by these accounts were not monitored from April 1, 2022, to September 30, 2022.
    • Management Response: Access logs were reviewed, and it was verified that break-glass usage was limited and mostly pre-planned and authorized. Monitoring has since been enabled for these domains, and multiple controls are in place to mitigate the risk of unauthorized production changes.

  3. Control ID DS - 1 (Cryptographic Certificates and Keys):

    • Exception Noted: Two of 26 sampled secrets were not rotated according to the secret rotation cadence.
    • Management Response: The affected secrets have either been deleted or had their passwords rotated. Access is restricted to authorized personnel, and secrets are stored in an encrypted format. A review of all secrets was conducted, and necessary rotations were performed.

  4. Control ID LA - 7 (Quotas on Azure Services):

    • Exception Noted: For two of 19 sampled offerings, quota restrictions were not configured as per the defined limits.
    • Management Response: The failure of quota restrictions was due to a bug, which has been resolved. There were no service outages or capacity issues caused by this bug. Monitoring mechanisms are in place to detect capacity constraints, and management deemed there was no risk from this exception【12†source】.
Anonymous

What are the Complementary User Entity Controls?

Virtual Information Security Officer logo
Virtual Information Security Officer

The Complementary User Entity Controls listed in the SOC 2 Type II report for Azure, Dynamics 365, and Online Services (Public & Government) for the period April 1, 2022, to March 31, 2023, include a range of responsibilities that Microsoft assumes its user entities have implemented. These responsibilities are crucial for maintaining compliance and security within the Azure environment. Key responsibilities include:

  1. Managing compliance with applicable laws/regulations.
  2. Establishing controls over the use of Microsoft Accounts and passwords.
  3. Disabling/deleting account access upon employee and contractor role change or terminations.
  4. Implementing workstation timeout for extended periods of inactivity.
  5. Reviewing access activities associated with accounts and VM applications.
  6. Protecting credentials associated with deployment profiles.
  7. Following security practices during the development and deployment of applications on Azure Web Apps.
  8. Configuring Web Apps deployments for appropriate diagnostic logging and monitoring for security events.
  9. Specifying strong credentials for service identities and management service accounts.
  10. Supervising, managing, and controlling access to key systems hosted in the Azure environment.
  11. Verifying the security of patching and maintaining third-party applications/components installed on Azure.
  12. Managing Multi-Factor Authentication (MFA) services, including ensuring confidentiality of user IDs and passwords.
  13. Developing Disaster Recovery and Business Continuity Plans addressing MFA service access issues.
  14. Encrypting data within the Azure platform where not enabled by default.
  15. Securing certificates used to access Azure SMAPI and other Azure services.
  16. Designing and implementing interconnectivity between Azure and on-premises resources.
  17. Implementing appropriate authentication mechanisms and limiting admin access.
  18. Backing up keys added to Azure Key Vault.
  19. Hardening virtual machine images as per requirements.
  20. Managing inputs and data uploads to Dynamics 365 for system security, availability, processing integrity, and confidentiality.

These responsibilities are essential for customers to ensure they are complementing Microsoft's controls and maintaining a secure and compliant environment in their use of Azure and Dynamics 365 services【20†source】.