Azure Template - Microsoft Security Threat Model Stencil

https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling

Release Notes

Sample Release (2022-07-17)

Added Sample - Azure Data & Analytics Platform

Pre-Release 5 (2022-03-30)

New Stencils

• Anomaly detectors
• Azure Purview accounts
• Bot Services
• Cognitive search
• Cognitive Services
• Computer vision
• Content moderators
• Custom vision
• Face APIs
• Firewall Policies
• Form recognizers
• Front Door and CDN profiles
• Immersive readers
• Language understanding
• Language
• Metrics advisors
• Network interfaces
• Personalizers
• Public IP Prefixes
• QnA makers
• Speech services
• Splunk
• Translators
• Video Analyzers
• Web Application Firewall policies

New Threat Properties

1. FINRA - Does this comply with FINRA, a standard set for not-for-profit organizations authorized by Congress that regulates and enforces the enhancement of investor safeguards and market integrity?
2. FISMA - Does this comply with FISMA, the US legislation that defines a comprehensive framework to protect government information, operations and assets within federal agencies, against threats?
3. GAAP - Does this comply with GAAP, a collection of commonly-followed accounting rules and standards for financial reporting?
4. HIPPA - Does this comply with HIPAA, the US legislation that sets standards for protecting the confidentiality and security of individually identifiable health information?
5. ISAE 3402 - Does this comply with ISAE 3402, the global standard providing assurance that a service organization has appropriate controls in place?
6. ISO 27001 - Is this ISO 27001 certified, a certificate given to companies upholding internationally recognized guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization?
7. ITAR - Does this comply with ITAR, regulations controlling the export and import of defense-related articles and services found on the US Munitions List?
8. SOC 1 - Does this comply with SOC 1, reporting on controls at a service organization which are relevant to user entities' internal control over financial reporting?
9. SOC 2 - Does this comply with SOC 2, reporting on non-financial processing based on one or more of the Trust service criteria on security, privacy, availability, confidentiality, and processing integrity?
10. SOC 3 - Does this comply with SOC 3, reporting based on the Trust service criteria, that may be distributed freely and only contain management's assertion that they have met the requirements of the chosen criteria?
11. SOX - Does this comply with SOX, US legislation aimed at protecting shareholders and the general public from accounting errors and frauds, as well as improving the accuracy of corporate disclosures?
12. SP 800-53 - Does this comply with SP80053, recommended security controls for federal information systems and organizations?
13. SSAE 16 - Does this comply with the SSAE 16 standard for auditing a service organization's internal compliance controls and reporting processes?
14. PCI DSS version - The version of the PCI-DSS protocol supported by this app.
15. ISO 27018 - Does this comply with ISO 27018, which establishes commonly accepted controls and guidelines for processing and protecting Personally Identifiable Information (PII) in a public cloud computing environment?
16. GLBA - Does this app comply with the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to establish standards for protecting the security and confidentiality of customers' personal information?
17. FedRAMP level - The level of the FedRAMP-compliant solution provided.
18. CSA STAR level - The level of CSA STAR program at which this is certified.
19. Privacy Shield - Does this comply with the EU-US Privacy Shield Framework, which imposes stronger obligations on US companies to protect Europeans' personal data?
20. ISO 27017 - Does this comply with ISO 27017, which establishes commonly accepted controls and guidelines for processing and protecting user information in a public cloud-computing environment?
21. COBIT - Does this comply with COBIT, which sets best practices for the governance and control of information systems and technology, and aligns IT with business principles?
22. COPPA - Does this comply with COPPA, which defines requirements on website and online services operators that provide content to children under 13 years of age?
23. FERPA - Does this comply with FERPA, a federal law that protects the privacy of student education records?
24. GAPP - Does this comply with GAPP, a collection of commonly-followed rules that address privacy risks in an organization?
25. HITRUST CSF - Does this comply with HITRUST CSF, a set of controls that harmonizes the requirements of information security regulations and standards?
26. Jericho Forum Commandments - Does this follow Jericho Forum Commandments, a set if principles to be observed when architecting systems for secure operation in de-perimeterized environments?
27. ISO 27002 - Does this app comply with ISO 27002, which establishes common guidelines for organizational information security standards and information security management practices?
28. FFIEC - Does this comply with the Federal Financial Institutions Examination Council’s guidance on the risk management controls necessary to authenticate services in an Internet banking environment?
29. Data ownership - Does this app fully preserve the user's ownership of uploaded data?
30. DMCA - Does this app comply with the Digital Millennium Copyright Act (DMCA), which criminalizes any attempt to unlawfully access copyrighted material?
31. Data Retention Policy - What is the app’s policy for user data retention after account termination?
32. GDPR - What is the app’s policy for user data retention after account termination?

Release 4 (2019-12-28)

New Stencils

• Azure Storage Explorer
• Azure Open Datasets
• Azure SQL Managed Instance
• Azure Synapse
• Azure SQL Database Edge
• Azure Data Share
• Azure Cloud Shell
• Azure Alerts
• Azure Firewall Manager
• Azure DevOps Pipelines
• Azure DevOps Boards
• Azure DevOps Artifacts
• Azure DevOps Repos
• Azure Sentinal

New Threat Types

Threat Properties