Wording changes

Author: msmbaldwin

articles/security/benchmarks/index.yml

@@ -22,7 +22,7 @@ landingContent:
     linkLists:
       - linkListType: overview
         links:
-          - text: Azure Security Benchmarks Introduction
+          - text: Azure Security Benchmark Introduction
             url: introduction.md
           - text: Overview of Azure Security Controls
             url: overview.md

articles/security/benchmarks/introduction.md

@@ -12,7 +12,7 @@ ms.custom: security-baselines
 
 ---
 
-# Azure security benchmarks introduction
+# Azure security benchmark introduction
 
 You may have several years or even decades of experience with on-premises computing. You know how to secure those deployments. But the cloud is different. How do you know if your cloud deployments are secure? What are the differences between security practices for on-premises systems and security practices for cloud deployments?
 

articles/security/benchmarks/overview.md

@@ -14,23 +14,25 @@ ms.custom: security-baselines
 
 # Overview of Azure Security Controls
 
-The Azure Security Benchmark contains recommendations that help you improve the security of your applications and data on Azure.   
+The Azure Security Benchmark contains recommendations that help you improve the security of your applications and data on Azure.
 
 This Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls Version 7.1 
 
 The following controls are used in the Azure Security Benchmark: 
 
-- Network Security 
-- Logging and Monitoring 
-- Identity and Access Control 
-- Data Protection 
-- Vulnerability Management 
-- Inventory and Asset Management 
-- Secure Configuration 
-- Malware Defense 
-- Data Recovery 
-- Incident Response 
-- Penetration Tests and Red Team Exercises
+- [Network Security](security-control-network-security.md)
+- [Logging and Monitoring](security-control-logging-monitoring.md)
+- [Identity and Access Control](security-control-identity-access-control.md)
+- [Data Protection](security-control-data-protection.md)
+- [Vulnerability Management](security-control-vulnerability-management.md)
+- [Inventory and Asset Management](security-control-inventory-asset-management.md)
+- [Secure Configuraton](security-control-secure-configuration.md)
+- [Malware Defense](security-control-malware-defense.md)
+- [Data Recovery](security-control-data-recovery.md)
+- [Incident Response](security-control-incident-response.md)
+- [Penetration Tests and Red Team Exercises](security-control-penetration-tests-red-team-exercises.md)
+
+You can also download the [Azure Security Benchmark v1 excel spreadsheet](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/spreadsheets).
 
 ## Azure Security Benchmark Recommendations 
 
@@ -45,4 +47,5 @@ We welcome your detailed feedback and active participation in the Azure Security
 
 ## Next Steps
 
-See the first security control: [Network Security](security-control-network-security.md)
+- See the first security control: [Network Security](security-control-network-security.md)
+- Download the [Azure Security Benchmark v1 excel spreadsheet](https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/spreadsheets)

articles/security/benchmarks/security-control-data-protection.md

@@ -82,7 +82,7 @@ Encrypt all sensitive information in transit. Ensure that any clients connecting
 
 Follow Azure Security Center recommendations for encryption at rest and encryption in transit, where applicable.
 
-Understanding encryption in transit with Azure:
+Understand encryption in transit with Azure:
 
 https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit
 
@@ -114,7 +114,7 @@ https://docs.microsoft.com/azure/information-protection/deployment-roadmap
 
 Use Azure AD RBAC to control access to data and resources, otherwise use service specific access control methods.
 
-Understanding Azure RBAC:
+Understand Azure RBAC:
 
 https://docs.microsoft.com/azure/role-based-access-control/overview
 
@@ -161,4 +161,3 @@ https://docs.microsoft.com/azure/azure-monitor/platform/alerts-activity-log
 ## Next steps
 
 See the next security control: [Vulnerability Management](security-control-vulnerability-management.md)
-

articles/security/benchmarks/security-control-data-recovery.md

@@ -25,6 +25,7 @@ Ensure that all system data, configurations, and secrets are automatically backe
 Enable Azure Backup and configure the backup source (Azure VMs, SQL Server, or File Shares), as well as the desired frequency and retention period.
 
 How to enable Azure Backup:
+
 https://docs.microsoft.com/azure/backup/
 
 ## 9.2: Perform complete system backups and backup any customer managed keys
@@ -36,9 +37,11 @@ https://docs.microsoft.com/azure/backup/
 Enable Azure Backup and target VM(s), as well as the desired frequency and retention periods. Backup customer managed keys within Azure Key Vault.
 
 How to enable Azure Backup:
+
 https://docs.microsoft.com/azure/backup/
 
 How to backup key vault keys in Azure:
+
 https://docs.microsoft.com/powershell/module/azurerm.keyvault/backup-azurekeyvaultkey?view=azurermps-6.13.0
 
 ## 9.3: Validate all backups including customer managed keys

articles/security/benchmarks/security-control-identity-access-control.md

@@ -60,10 +60,11 @@ Learn more: https://docs.microsoft.com/azure/active-directory/privileged-identit
 
 Wherever possible, use Azure Active Directory SSO instead than configuring individual stand-alone credentials per-service. Use Azure Security Center Identity and Access Management recommendations.
 
-Understanding SSO with Azure AD:
+Understand SSO with Azure AD:
+
 https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on
 
-## 3.5: Use multi-factor authentication for all Azure Active Directory based access.
+## 3.5: Use multi-factor authentication for all Azure Active Directory based access
 
 | Azure ID | CIS IDs | Responsibility |
 |--|--|--|
@@ -88,9 +89,11 @@ https://docs.microsoft.com/azure/security-center/security-center-identity-access
 Use PAWs (privileged access workstations) with MFA configured to log into and configure Azure resources.
 
 Learn about Privileged Access Workstations:
+
 https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations
 
 How to enable MFA in Azure:
+
 https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted
 
 
@@ -131,20 +134,23 @@ https://docs.microsoft.com/azure/active-directory/reports-monitoring/quickstart-
 Use Azure Active Directory (AAD) as the central authentication and authorization system. AAD protects data by using strong encryption for data at rest and in transit. AAD also salts, hashes, and securely stores user credentials.
 
 How to create and configure an AAD instance:
+
 https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant
 
 ## 3.10: Regularly review and reconcile user access
 
 | Azure ID | CIS IDs | Responsibility |
 |--|--|--|
-| 3.1 | 16.9, 16.10 | Customer |
+| 3.10 | 16.9, 16.10 | Customer |
 
 Azure AD provides logs to help discover stale accounts. In addition, use Azure Identity Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments. User access can be reviewed on a regular basis to make sure only the right Users have continued access. 
 
-Azure AD Reporting 
+Azure AD Reporting:
+
 https://docs.microsoft.com/azure/active-directory/reports-monitoring/
 
 How to use Azure Identity Access Reviews:
+
 https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview
 
 ## 3.11: Monitor attempts to access deactivated accounts
@@ -189,7 +195,7 @@ https://docs.microsoft.com/azure/sentinel/quickstart-onboard
 
 In support scenarios where Microsoft needs to access customer data, Customer Lockbox provides an interface for you to review, and approve or reject customer data access requests.
 
-Understanding Customer Lockbox:
+Understand Customer Lockbox:
 
 https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview
 

articles/security/benchmarks/security-control-incident-response.md

@@ -62,7 +62,7 @@ Refer to NIST's publication: Guide to Test, Training, and Exercise Programs for
 
 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf
 
-## 10.4: Provide security incident contact details and configure alert notifications  for security incidents
+## 10.4: Provide security incident contact details and configure alert notifications for security incidents
 
 | Azure ID | CIS IDs | Responsibility |
 |--|--|--|

articles/security/benchmarks/security-control-inventory-asset-management.md

@@ -34,7 +34,7 @@ How to view your Azure Subscriptions:
 
 https://docs.microsoft.com/powershell/module/az.accounts/get-azsubscription?view=azps-3.0.0
 
-Understanding Azure RBAC:
+Understand Azure RBAC:
 
 https://docs.microsoft.com/azure/role-based-access-control/overview
 
@@ -120,7 +120,7 @@ How to use File Integrity Monitoring:
 
 https://docs.microsoft.com/azure/security-center/security-center-file-integrity-monitoring#using-file-integrity-monitoring
 
-Understanding Azure Change Tracking:
+Understand Azure Change Tracking:
 
 https://docs.microsoft.com/azure/automation/change-tracking
 
@@ -191,6 +191,7 @@ https://docs.microsoft.com/azure/role-based-access-control/conditional-access-az
 Use operating system specific configurations or third-party resources to limit users' ability to execute scripts within Azure compute resources.
 
 For example, how to control PowerShell script execution in Windows Environments:
+
 https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6
 
 ## 6.13: Physically or logically segregate high risk applications

articles/security/benchmarks/security-control-logging-monitoring.md

@@ -64,7 +64,7 @@ How to collect platform logs and metrics with Azure Monitor:
 
 https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings
 
-Understanding logging and different log types in Azure:
+Understand logging and different log types in Azure:
 
 https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview
 
@@ -77,9 +77,11 @@ https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview
 If the compute resource is owned by Microsoft, then Microsoft is responsible for monitoring it. If the compute resource is owned by your organization, it's your responsibility to monitor it. You can use Azure Security Center to monitor the OS. Data collected by Security Center from the operating system includes OS type and version, OS (Windows Event Logs), running processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also collects crash dump files.
 
 How to collect Azure Virtual Machine internal host logs with Azure Monitor:
+
 https://docs.microsoft.com/azure/azure-monitor/learn/quick-collect-azurevm
 
-Understanding Azure Security Center data collection:
+Understand Azure Security Center data collection:
+
 https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection
 
 ## 2.5: Configure security log storage retention
@@ -91,6 +93,7 @@ https://docs.microsoft.com/azure/security-center/security-center-enable-data-col
 Within Azure Monitor, set your Log Analytics Workspace retention period according to your organization's compliance regulations. Use Azure Storage Accounts for long-term/archival storage.
 
 How to set log retention parameters for Log Analytics Workspaces:
+
 https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period
 
 ## 2.6: Monitor and review Logs
@@ -107,7 +110,7 @@ How to onboard Azure Sentinel:
 
 https://docs.microsoft.com/azure/sentinel/quickstart-onboard
 
-Understanding Log Analytics Workspace:
+Understand Log Analytics Workspace:
 
 https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-portal
 
@@ -153,7 +156,7 @@ How to configure Microsoft Antimalware for Cloud Services:
 
 https://docs.microsoft.com/powershell/module/servicemanagement/azure/set-azureserviceantimalwareextension?view=azuresmps-4.0.0
 
-Understanding Microsoft Antimalware:
+Understand Microsoft Antimalware:
 
 https://docs.microsoft.com/azure/security/fundamentals/antimalware
 

articles/security/benchmarks/security-control-network-security.md

@@ -24,9 +24,10 @@ Network security recommendations focus on specifying which network protocols, TC
 
 Ensure that all Virtual Network subnet deployments have a Network Security Group applied with network access controls specific to your application's trusted ports and sources. Use Azure Services with Private Link enabled, deploy the service inside your Vnet, or connect privately using Private Endpoints. For service specific requirements, please refer to the security recommendation for that specific service.
 
-Alternatively, if you has a specific use case, requirements can be met by implementing Azure Firewall.
+Alternatively, if you have a specific use case, requirements can be met by implementing Azure Firewall.
 
 General Information on Private Link:
+
 https://docs.microsoft.com/azure/private-link/private-link-overview
 
 How to create a Virtual Network:
@@ -53,7 +54,7 @@ How to Enable NSG Flow Logs:
 
 https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal
 
-Understanding Network Security provided by Azure Security Center:
+Understand Network Security provided by Azure Security Center:
 
 https://docs.microsoft.com/azure/security-center/security-center-network-recommendations
 
@@ -112,9 +113,11 @@ https://docs.microsoft.com/azure/security-center/security-center-just-in-time
 Record NSG flow logs into a storage account to generate flow records. If required for investigating anomalous activity, enable Network Watcher packet capture.
 
 How to Enable NSG Flow Logs:
+
 https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal
 
 How to enable Network Watcher:
+
 https://docs.microsoft.com/azure/network-watcher/network-watcher-create
 
 ## 1.6: Deploy network based intrusion detection/intrusion prevention systems (IDS/IPS)
@@ -140,12 +143,15 @@ https://docs.microsoft.com/azure/firewall/threat-intel
 Deploy Azure Application Gateway for web applications with HTTPS/SSL enabled for trusted certificates.
 
 How to deploy Application Gateway:
+
 https://docs.microsoft.com/azure/application-gateway/quick-create-portal
 
 How to configure Application Gateway to use HTTPS:
+
 https://docs.microsoft.com/azure/application-gateway/create-ssl-portal
 
-Understanding layer 7 load balancing with Azure web application gateways:
+Understand layer 7 load balancing with Azure web application gateways:
+
 https://docs.microsoft.com/azure/application-gateway/overview
 
 ## 1.8: Minimize complexity and administrative overhead of network security rules
@@ -154,9 +160,10 @@ https://docs.microsoft.com/azure/application-gateway/overview
 |--|--|--|
 | 1.8 | 1.5 | Customer |
 
-Use Virtual Network Service Tags  to define network access controls on Network Security Groups or Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (e.g., ApiManagement) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.
+Use Virtual Network Service Tags to define network access controls on Network Security Groups or Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules. By specifying the service tag name (e.g., ApiManagement) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.
+
+Understand and use Service Tags:
 
-Understanding and using Service Tags:
 https://docs.microsoft.com/azure/virtual-network/service-tags-overview
 
 ## 1.9: Maintain standard security configurations for network devices