none
regulatory compliance - CIS 1.1.0 - greyed out - technical vs non-technical RRS feed

  • Question

  • In azure security center - Regulatory compliance for CIS 1.1.0 and others

    When we enabled the ASC - regulatory compliance 

    most of the Assessments are greyedout . 

    as per the official microsoft documentation , these greyed out entries could be either because 

    1)dependent controls from the top  {ex: if one control is not enabled then the relevent dependent controls are grey'd out}

    2) Process driven and non-technical controls which microsoft cannot perform the assessments.

    This seem's to a confusion on what is considered  process driven and what is dependent?

    Is there a way to understand and properly identify the differences ? especially for us almost 80% is greyedout in certain asessments if it process driven vs techincal or nontechnical.?


    Tuesday, October 1, 2019 5:20 PM

All replies

  • Hello,

    Unfortunately we don't have a chart/table/list of all items that are process driven/non-technical controls. 

    Can you please provide the docs where you're seeing these two items? 


    1)dependent controls from the top  {ex: if one control is not enabled then the relevent dependent controls are grey'd out}
    2) Process driven and non-technical controls which microsoft cannot perform the assessments.

    This is a general blanket of items that are:
    "Process Driven" meaning having the ability to perform a kind of work independently by following an associated process strictly and persistently. That is in this scenario something dependent on a business' processes to determine whether or not something is in fact a security issue or not. Thus this would require custom logic to determine if something can be assessed as a security risk. 

    "Non-technical Controls" refers to a sort of control that is not within the realm of computation. Such as physical location. Please refer to the concept of technical controls here : http://moct.gov.sy/ICTSandards/en/12/6_Technical_Controls.htm

    Non-technical controls are management and operational controls, such as security policies; operational procedures; and personnel, physical, and environmental security


    Wednesday, October 2, 2019 12:30 AM
    Moderator
  • Below is the documentation on the policy vs non-techincal /technical .

    Official Microsoft documentation:

    '

    1. Select a tab for a compliance standard that is relevant to you. You will see the list of all controls for that standard. For the applicable controls, you can view the details of passing and failing assessments associated with that control. Some controls are grayed out. These controls do not have any Security Center assessments associated with them. You need to analyze the requirements for these and assess them in your environment on your own. Some of these may be process-related and not technical."

    &

    The dependent controls for few of the assessments is what we heard from microsoft personnel.


    • Edited by sraon Wednesday, October 2, 2019 7:15 PM
    Wednesday, October 2, 2019 7:13 PM
  • What is the question you're asking in regards to this? 

    Per your post and the doc:

    Some controls are grayed out. These controls do not have any Security Center assessments associated with them. You need to analyze the requirements for these and assess them in your environment on your own. Some of these may be process-related and not technical.

    Thursday, October 3, 2019 1:53 AM
    Moderator