Merge pull request #100773 from msmbaldwin/security-controls

Wording changes

Author: TedA-M

articles/security/benchmarks/index.yml

@@ -22,7 +22,7 @@ landingContent:
     linkLists:
       - linkListType: overview
         links:
-          - text: Azure Security Benchmarks Introduction
+          - text: Azure Security Benchmark Introduction
             url: introduction.md
           - text: Overview of Azure Security Controls
             url: overview.md

articles/security/benchmarks/introduction.md

@@ -12,26 +12,26 @@ ms.custom: security-baselines
 
 ---
 
-# Azure security benchmarks introduction
+# Azure security benchmark introduction
 
-You may have several years or even decades of experience with on-premises computing. You know how to secure those deployments. But the cloud is different. How do you know if your cloud deployments are secure? What are the differences between security practices for on-premises systems and security practices for cloud deployments?
+You may have several years or even decades of experience with on-premises computing. You know how to secure those deployments; but the cloud is different. How do you know if your cloud deployments are secure? What are the differences between security practices for on-premises systems and cloud deployments?
 
-There is a large collection of white papers, best practices, reference architectures, web guidance, open-source tools, commercial solutions, intelligence feeds, and more that can be used to help secure the cloud. Which option should you use? What can you do to get an acceptable level of security in the cloud? 
+There is a large collection of white papers, best practices, reference architectures, web guidance, open-source tools, commercial solutions, intelligence feeds, and more, that can be used to help secure the cloud. Which option should you use? What can you do to get an acceptable level of security in the cloud? 
 
-One of the best ways to secure your cloud deployments is to focus on cloud security benchmark recommendations. Benchmark recommendations for securing any service begin with a fundamental understanding of cybersecurity risk and how to manage it. You can then use this understanding by adopting benchmark security recommendations from your cloud service provider to help select specific security configuration settings in your environment. 
+One of the best ways to secure your cloud deployments is to focus on cloud security benchmark recommendations. Benchmark recommendations, for securing any service, begin with a fundamental understanding of cybersecurity risk and how to manage it. You can then use this understanding by adopting benchmark security recommendations from your cloud service provider to help select specific security configuration settings in your environment. 
 
 The Azure Security Benchmark includes a collection of high-impact security recommendations you can use to help secure most of the services you use in Azure. You can think of these recommendations as "general" or "organizational" as they are applicable to most Azure services. The Azure Security Benchmark recommendations are then customized for each Azure service, and this customized guidance is contained in service recommendations articles. 
 
-The Azure Security Benchmark documentation specify Security Controls and Service Recommendations.
+The Azure Security Benchmark documentation specifies security controls and service recommendations.
 
-- **Security Controls**: The Azure Security Benchmark recommendations are categorized by security controls. Security controls represent high-level vendor-agnostic security requirements, such as network security and data protection. Each security control has a set of security recommendations and instructions that help you enable those recommendations. 
-- **Service Recommendations**: When available, benchmark recommendations for Azure services will include Azure Security Benchmark recommendations that are tailored for the service, as well as additional recommendations that are unique for the particular service. 
+- **Security Controls**: The Azure Security Benchmark recommendations are categorized by security controls. Security controls represent high-level vendor-agnostic security requirements, such as network security and data protection. Each security control has a set of security recommendations and instructions that help you implment those recommendations. 
+- **Service Recommendations**: When available, benchmark recommendations for Azure services will include Azure Security Benchmark recommendations that are tailored specifically for that service. 
 
 The terms "Control", "Benchmark", and "Baseline" are used often in the Azure Security Benchmark documentation and it's important to understand how Azure uses those terms. 
 
 | Term | Description | Example |
 |--|--|--|
-| Control | A **control** is a high-level description of a feature or activity that needs to be addressed, and is not specific to a technology or implementation. | Data Protection is one of the security controls. This control contains specific actions that need to be addressed to help ensure data is protected. |
+| Control | A **control** is a high-level description of a feature or activity that needs to be addressed and is not specific to a technology or implementation. | Data Protection is one of the security controls. This control contains specific actions that need to be addressed to help ensure data is protected. |
 | Benchmark | A **benchmark** contains security recommendations for a specific technology, such as Azure. The recommendations are categorized by the control to which they belong. | The Azure Security benchmark comprises the security recommendations specific to the Azure platform  |
 | Baseline | A **baseline** is the security requirements for an organization. The security requirements are based on benchmark recommendations. Each organization decides which benchmark recommendations to include in their baseline. | The Contoso company creates its security baseline by choosing to require specific recommendations in the Azure Security Benchmark. |
 

articles/security/benchmarks/overview.md

@@ -14,35 +14,38 @@ ms.custom: security-baselines
 
 # Overview of Azure Security Controls
 
-The Azure Security Benchmark contains recommendations that help you improve the security of your applications and data on Azure.   
+The Azure Security Benchmark contains recommendations that help you improve the security of your applications and data on Azure.
 
-This Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls Version 7.1 
+This Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls Version 7.1.
 
 The following controls are used in the Azure Security Benchmark: 
 
-- Network Security 
-- Logging and Monitoring 
-- Identity and Access Control 
-- Data Protection 
-- Vulnerability Management 
-- Inventory and Asset Management 
-- Secure Configuration 
-- Malware Defense 
-- Data Recovery 
-- Incident Response 
-- Penetration Tests and Red Team Exercises
+- [Network Security](security-control-network-security.md)
+- [Logging and Monitoring](security-control-logging-monitoring.md)
+- [Identity and Access Control](security-control-identity-access-control.md)
+- [Data Protection](security-control-data-protection.md)
+- [Vulnerability Management](security-control-vulnerability-management.md)
+- [Inventory and Asset Management](security-control-inventory-asset-management.md)
+- [Secure Configuration](security-control-secure-configuration.md)
+- [Malware Defense](security-control-malware-defense.md)
+- [Data Recovery](security-control-data-recovery.md)
+- [Incident Response](security-control-incident-response.md)
+- [Penetration Tests and Red Team Exercises](security-control-penetration-tests-red-team-exercises.md)
+
+You can also download the [Azure Security Benchmark v1 excel spreadsheet](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/spreadsheets).
 
 ## Azure Security Benchmark Recommendations 
 
 Each recommendation includes the following information: 
 
 - **Azure ID**: The Azure Security Benchmark ID that corresponds to the recommendation. 
-- **CIS ID(s)**: The CIS benchmark recommendation # that corresponds to this recommendation.  
+- **CIS ID(s)**: The CIS benchmark recommendation(s) that correspond to this recommendation.  
 - **Responsibility**: Whether the customer or the service-provider (or both) is (are) responsible for implementing this recommendation. Security responsibilities are shared in the public cloud. Some security controls are only available to the cloud service provider and therefore the provider is responsible  for addressing those. These are general observations – for some individual services, the responsibility will be different than what is listed in the Azure Security Benchmark. Those differences are described in the baseline recommendations for the individual service. 
-- **Details**: The rationale for the recommendation and links to guidance on how to implement the recommendation. If the recommendation is supported by Azure Security Center, that information will be listed here.  
+- **Details**: The rationale for the recommendation and links to guidance on how to implement it. If the recommendation is supported by Azure Security Center, that information will also be listed.
 
 We welcome your detailed feedback and active participation in the Azure Security Benchmark effort. If you would like to provide the Benchmark team direct input, please fill out the form at [https://aka.ms/AzSecBenchmark](https://aka.ms/AzSecBenchmark).
 
 ## Next Steps
 
-See the first security control: [Network Security](security-control-network-security.md)
+- See the first security control: [Network Security](security-control-network-security.md)
+- Download the [Azure Security Benchmark v1 excel spreadsheet](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/spreadsheets)

articles/security/benchmarks/security-control-data-protection.md

@@ -82,7 +82,7 @@ Encrypt all sensitive information in transit. Ensure that any clients connecting
 
 Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.
 
-Understanding encryption in transit with Azure:
+Understand encryption in transit with Azure:
 
 https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
 
@@ -114,7 +114,7 @@ https://docs.microsoft.com/azure/information-protection/deployment-roadmap
 
 Use Azure AD RBAC to control access to data and resources, otherwise use service specific access control methods.
 
-Understanding Azure RBAC:
+Understand Azure RBAC:
 
 https://docs.microsoft.com/azure/role-based-access-control/overview
 
@@ -161,4 +161,3 @@ https://docs.microsoft.com/azure/azure-monitor/platform/alerts-activity-log
 ## Next steps
 
 See the next security control: [Vulnerability Management](security-control-vulnerability-management.md)
-

articles/security/benchmarks/security-control-data-recovery.md

@@ -25,6 +25,7 @@ Ensure that all system data, configurations, and secrets are automatically backe
 Enable Azure Backup and configure the backup source (Azure VMs, SQL Server, or File Shares), as well as the desired frequency and retention period.
 
 How to enable Azure Backup:
+
 https://docs.microsoft.com/azure/backup/
 
 ## 9.2: Perform complete system backups and backup any customer managed keys
@@ -36,9 +37,11 @@ https://docs.microsoft.com/azure/backup/
 Enable Azure Backup and target VM(s), as well as the desired frequency and retention periods. Backup customer managed keys within Azure Key Vault.
 
 How to enable Azure Backup:
+
 https://docs.microsoft.com/azure/backup/
 
 How to backup key vault keys in Azure:
+
 https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0
 
 ## 9.3: Validate all backups including customer managed keys

articles/security/benchmarks/security-control-identity-access-control.md

@@ -60,10 +60,11 @@ Learn more: https://docs.microsoft.com/azure/active-directory/privileged-identit
 
 Wherever possible, use Azure Active Directory SSO instead than configuring individual stand-alone credentials per-service. Use Azure Security Center Identity and Access Management recommendations.
 
-Understanding SSO with Azure AD:
+Understand SSO with Azure AD:
+
 https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on
 
-## 3.5: Use multi-factor authentication for all Azure Active Directory based access.
+## 3.5: Use multi-factor authentication for all Azure Active Directory based access
 
 | Azure ID | CIS IDs | Responsibility |
 |--|--|--|
@@ -88,9 +89,11 @@ https://docs.microsoft.com/azure/security-center/security-center-identity-access
 Use PAWs (privileged access workstations) with MFA configured to log into and configure Azure resources.
 
 Learn about Privileged Access Workstations:
+
 https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations
 
 How to enable MFA in Azure:
+
 https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted
 
 
@@ -131,20 +134,23 @@ https://docs.microsoft.com/azure/active-directory/reports-monitoring/quickstart-
 Use Azure Active Directory (AAD) as the central authentication and authorization system. AAD protects data by using strong encryption for data at rest and in transit. AAD also salts, hashes, and securely stores user credentials.
 
 How to create and configure an AAD instance:
+
 https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant
 
 ## 3.10: Regularly review and reconcile user access
 
 | Azure ID | CIS IDs | Responsibility |
 |--|--|--|
-| 3.1 | 16.9, 16.10 | Customer |
+| 3.10 | 16.9, 16.10 | Customer |
 
 Azure AD provides logs to help discover stale accounts. In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access. 
 
-Azure AD Reporting 
+Azure AD Reporting:
+
 https://docs.microsoft.com/azure/active-directory/reports-monitoring/
 
 How to use Azure Identity Access Reviews:
+
 https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview
 
 ## 3.11: Monitor attempts to access deactivated accounts
@@ -189,7 +195,7 @@ https://docs.microsoft.com/azure/sentinel/quickstart-onboard
 
 In support scenarios where Microsoft needs to access customer data, Customer Lockbox provides an interface for you to review, and approve or reject customer data access requests.
 
-Understanding Customer Lockbox:
+Understand Customer Lockbox:
 
 https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview
 

articles/security/benchmarks/security-control-incident-response.md

@@ -62,7 +62,7 @@ Refer to NIST's publication: Guide to Test, Training, and Exercise Programs for
 
 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf
 
-## 10.4: Provide security incident contact details and configure alert notifications  for security incidents
+## 10.4: Provide security incident contact details and configure alert notifications for security incidents
 
 | Azure ID | CIS IDs | Responsibility |
 |--|--|--|

articles/security/benchmarks/security-control-inventory-asset-management.md

@@ -34,7 +34,7 @@ How to view your Azure Subscriptions:
 
 https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-3.0.0
 
-Understanding Azure RBAC:
+Understand Azure RBAC:
 
 https://docs.microsoft.com/azure/role-based-access-control/overview
 
@@ -120,7 +120,7 @@ How to use File Integrity Monitoring:
 
 https://docs.microsoft.com/azure/security-center/security-center-file-integrity-monitoring#using-file-integrity-monitoring
 
-Understanding Azure Change Tracking:
+Understand Azure Change Tracking:
 
 https://docs.microsoft.com/azure/automation/change-tracking
 
@@ -191,6 +191,7 @@ https://docs.microsoft.com/azure/role-based-access-control/conditional-access-az
 Use operating system specific configurations or third-party resources to limit users' ability to execute scripts within Azure compute resources.
 
 For example, how to control PowerShell script execution in Windows Environments:
+
 https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6
 
 ## 6.13: Physically or logically segregate high risk applications

articles/security/benchmarks/security-control-logging-monitoring.md

@@ -64,7 +64,7 @@ How to collect platform logs and metrics with Azure Monitor:
 
 https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings
 
-Understanding logging and different log types in Azure:
+Understand logging and different log types in Azure:
 
 https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview
 
@@ -77,9 +77,11 @@ https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview
 If the compute resource is owned by Microsoft, then Microsoft is responsible for monitoring it. If the compute resource is owned by your organization, it's your responsibility to monitor it. You can use Azure Security Center to monitor the OS. Data collected by Security Center from the operating system includes OS type and version, OS (Windows Event Logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also collects crash dump files.
 
 How to collect Azure Virtual Machine internal host logs with Azure Monitor:
+
 https://docs.microsoft.com/azure/azure-monitor/learn/quick-collect-azurevm
 
-Understanding Azure Security Center data collection:
+Understand Azure Security Center data collection:
+
 https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection
 
 ## 2.5: Configure security log storage retention
@@ -91,6 +93,7 @@ https://docs.microsoft.com/azure/security-center/security-center-enable-data-col
 Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage.
 
 How to set log retention parameters for Log Analytics Workspaces:
+
 https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period
 
 ## 2.6: Monitor and review Logs
@@ -107,7 +110,7 @@ How to onboard Azure Sentinel:
 
 https://docs.microsoft.com/azure/sentinel/quickstart-onboard
 
-Understanding Log Analytics Workspace:
+Understand Log Analytics Workspace:
 
 https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-portal
 
@@ -153,7 +156,7 @@ How to configure Microsoft Antimalware for Cloud Services:
 
 https://docs.microsoft.com/powershell/module/servicemanagement/azure/set-azureserviceantimalwareextension?view=azuresmps-4.0.0
 
-Understanding Microsoft Antimalware:
+Understand Microsoft Antimalware:
 
 https://docs.microsoft.com/azure/security/fundamentals/antimalware