Veri-Tech
← All Frameworks

Veri-Tech Recommended Controls

Veri-Tech Recommendations

Recommended controls developed by Veri-Tech to fill compliance and operational hygiene gaps not addressed by other frameworks.

44

Controls

3

Auto-Remediable

4

Domains

Purview(27)

VT-COPILOT-009

Microsoft Purview Data Security Posture Management for AI activated

critical
Copilot Pre-DeploymentNIST AU-2NIST AU-12NIST RA-3NIST SI-4CSF DE.AE-3CSF DE.CM-1CSF DE.CM-3CSF DE.DP-2CSF ID.RA-1ISO27001 A.5.7ISO27001 A.8.16GDPR Art.32GDPR Art.35SOC2 CC7.2
VT-PURVIEW-001

SharePoint Online DLP coverage configured

high
NIST AU-2NIST AC-3NIST SC-7NIST SI-12CSF PR.DS-5CSF PR.PT-2ISO27001 A.5.13ISO27001 A.8.12SOC2 CC6.7SOC2 PI1.3GDPR Art.32405D 4.M.E
VT-PURVIEW-002

OneDrive for Business DLP coverage configured

high
NIST AU-2NIST AC-3NIST SC-7NIST SI-12CSF PR.DS-5CSF PR.PT-2ISO27001 A.5.13ISO27001 A.8.12SOC2 CC6.7GDPR Art.32405D 4.M.E
VT-PURVIEW-003

Endpoint DLP coverage configured for managed devices

high
NIST AC-19NIST SC-7NIST SI-12CSF PR.DS-5CSF PR.PT-2CSF PR.AC-3ISO27001 A.5.13ISO27001 A.8.12ISO27001 A.8.16SOC2 CC6.7GDPR Art.32405D 4.M.D
VT-PURVIEW-004

DLP rules block external sharing of credit card data

critical
NIST AC-3NIST AC-21NIST SC-7CSF PR.DS-5CSF PR.AC-4ISO27001 A.5.14ISO27001 A.5.34ISO27001 A.8.12SOC2 CC6.7PCI DSS 4.0 3.4PCI DSS 4.0 4.2GDPR Art.32
VT-PURVIEW-005

DLP rules block external sharing of US Social Security numbers

critical
NIST AC-3NIST AC-21NIST SC-7CSF PR.DS-5CSF PR.AC-4ISO27001 A.5.14ISO27001 A.5.34SOC2 CC6.7HIPAA 164.312(a)(1)HIPAA 164.312(e)(1)GDPR Art.32405D 4.M.E
VT-PURVIEW-006

DLP policies promoted out of Test mode

medium
NIST CA-7NIST CM-3CSF DE.CM-1CSF PR.IP-3ISO27001 A.5.36ISO27001 A.8.16SOC2 CC6.7SOC2 CC7.1
VT-PURVIEW-007

Sensitivity label policy published to users

high
NIST AC-3NIST SC-7NIST SI-12CSF PR.DS-5CSF PR.AC-4ISO27001 A.5.12ISO27001 A.5.14ISO27001 A.8.12SOC2 CC6.1SOC2 CC6.7GDPR Art.32405D 4.M.E
VT-PURVIEW-008

At least one sensitivity label enforces encryption

critical
NIST AC-3NIST SC-12NIST SC-13NIST SC-28CSF PR.DS-1CSF PR.DS-2CSF PR.DS-5ISO27001 A.5.14ISO27001 A.8.12ISO27001 A.8.24SOC2 CC6.1SOC2 CC6.7HIPAA 164.312(a)(2)(iv)HIPAA 164.312(e)(2)(ii)GDPR Art.32405D 4.M.B
VT-PURVIEW-009

Auto-labeling policies configured for sensitive content

high
NIST AU-2NIST CA-7NIST CM-7NIST SI-4CSF DE.CM-1CSF DE.CM-7CSF PR.DS-5ISO27001 A.5.12ISO27001 A.8.12ISO27001 A.8.16SOC2 CC7.2GDPR Art.32
VT-PURVIEW-010

Container labels configured for Teams and Microsoft 365 Groups

medium
NIST AC-3NIST AC-21NIST SC-7CSF PR.DS-5CSF PR.AC-4ISO27001 A.5.14ISO27001 A.8.12SOC2 CC6.1SOC2 CC6.7
VT-PURVIEW-011

Mandatory sensitivity labeling enforced via label policy

high
NIST AC-3NIST CA-7NIST CM-7NIST SI-12CSF DE.CM-1CSF PR.DS-5CSF PR.IP-3ISO27001 A.5.12ISO27001 A.5.36ISO27001 A.8.12SOC2 CC6.7SOC2 CC7.1GDPR Art.32
VT-PURVIEW-012

Retention policy enabled with at least one workload location

high
NIST AU-11NIST CM-12NIST SI-12NIST RA-2CSF PR.IP-4CSF PR.IP-6CSF DE.AE-3ISO27001 A.5.31ISO27001 A.5.33ISO27001 A.8.10SOC2 CC7.2GDPR Art.5(1)(e)GDPR Art.30HIPAA 164.316(b)(2)405D 4.M.E
VT-PURVIEW-013

Retention policy covers Exchange Online mailboxes

high
NIST AU-11NIST SI-12CSF PR.IP-4CSF PR.IP-6ISO27001 A.5.33ISO27001 A.8.10SOC2 CC7.2GDPR Art.5(1)(e)HIPAA 164.316(b)(2)
VT-PURVIEW-014

Retention policy covers SharePoint Online sites

high
NIST AU-11NIST SI-12CSF PR.IP-4CSF PR.IP-6ISO27001 A.5.33ISO27001 A.8.10SOC2 CC7.2GDPR Art.5(1)(e)HIPAA 164.316(b)(2)
VT-PURVIEW-015

Retention policy covers OneDrive for Business accounts

medium
NIST AU-11NIST SI-12CSF PR.IP-4CSF PR.IP-6ISO27001 A.5.33ISO27001 A.8.10SOC2 CC7.2GDPR Art.5(1)(e)
VT-PURVIEW-016

Retention policy covers Teams chats and channel messages

high
NIST AU-11NIST SI-12CSF PR.IP-4CSF PR.IP-6ISO27001 A.5.33ISO27001 A.8.10SOC2 CC7.2GDPR Art.5(1)(e)HIPAA 164.316(b)(2)
VT-PURVIEW-017

Microsoft Purview DSPM for Data baseline established

high
NIST RA-3NIST RA-5NIST CA-7NIST PM-9CSF ID.RA-1CSF DE.CM-1CSF DE.CM-7ISO27001 A.5.7ISO27001 A.5.36ISO27001 A.8.16SOC2 CC3.4SOC2 CC7.1SOC2 CC7.2GDPR Art.32GDPR Art.35405D 4.M.E
VT-PURVIEW-018

Microsoft Compliance Manager assessment tracked

medium
NIST CA-2NIST CA-7NIST PM-9NIST PM-12CSF ID.GV-3CSF ID.GV-4CSF ID.RA-1CSF ID.SC-1ISO27001 A.5.36ISO27001 A.5.37ISO27001 A.8.34SOC2 CC3.4SOC2 CC4.1SOC2 CC4.2GDPR Art.5(2)GDPR Art.32
VT-PURVIEW-019

Custom audit log retention policy extends to at least 1 year

high
NIST AU-11NIST AU-7NIST CA-7NIST SI-12CSF DE.AE-3CSF PR.IP-4CSF PR.IP-6CSF DE.CM-1ISO27001 A.5.33ISO27001 A.8.10ISO27001 A.8.15SOC2 CC7.2SOC2 CC7.3GDPR Art.30GDPR Art.32HIPAA 164.308(a)(1)(ii)(D)HIPAA 164.312(b)HIPAA 164.316(b)(2)405D 4.M.E
VT-PURVIEW-020

Audit retention coverage spans Exchange, SharePoint, and Entra ID

high
NIST AU-2NIST AU-11NIST AU-12NIST CA-7NIST CM-7CSF DE.AE-3CSF DE.CM-1CSF DE.CM-7CSF PR.PT-1ISO27001 A.5.33ISO27001 A.8.10ISO27001 A.8.15ISO27001 A.8.16SOC2 CC7.2SOC2 CC7.3GDPR Art.30GDPR Art.32HIPAA 164.312(b)
VT-PURVIEW-021

Insider Risk Management policy active

high
NIST AU-12NIST AU-13NIST IR-4NIST PE-6NIST PM-12NIST PM-16CSF DE.CM-3CSF DE.CM-7CSF DE.AE-3CSF PR.IP-3ISO27001 A.5.7ISO27001 A.5.36ISO27001 A.6.4ISO27001 A.8.16SOC2 CC7.2GDPR Art.32HIPAA 164.308(a)(1)(ii)(D)405D 4.M.E
VT-PURVIEW-022

Insider Risk policy covers departing-user data theft

high
NIST AC-7NIST AU-12NIST PS-4NIST PS-5NIST PM-12NIST IR-4CSF DE.CM-3CSF PR.AC-1CSF PR.IP-11ISO27001 A.6.5ISO27001 A.5.11ISO27001 A.8.16SOC2 CC6.2SOC2 CC6.5HIPAA 164.308(a)(3)(ii)(C)405D 4.M.E
VT-PURVIEW-023

Insider Risk reviewer roles populated

medium
NIST AC-2NIST AU-6NIST AU-12NIST IR-2NIST IR-4CSF DE.AE-2CSF DE.DP-2CSF DE.DP-3CSF RS.AN-1ISO27001 A.5.24ISO27001 A.5.25ISO27001 A.5.27ISO27001 A.6.2SOC2 CC4.1SOC2 CC7.4
VT-PURVIEW-024

Communication Compliance policy active

high
NIST AU-2NIST AU-12NIST CA-7NIST PM-12NIST PS-6CSF DE.AE-3CSF DE.CM-7CSF DE.DP-2ISO27001 A.5.10ISO27001 A.5.27ISO27001 A.6.4ISO27001 A.8.16SOC2 CC4.1SOC2 CC5.3GDPR Art.32FINRA 3110FINRA 3120SEC 17a-4
VT-PURVIEW-025

Communication Compliance policy reviewers assigned

medium
NIST AC-2NIST AU-6NIST AU-12NIST IR-2CSF DE.DP-2CSF DE.DP-3CSF RS.AN-1ISO27001 A.5.24ISO27001 A.5.25ISO27001 A.5.27SOC2 CC4.1SOC2 CC7.4FINRA 3110
VT-PURVIEW-026

Information Barriers configured if regulatory segregation applies

medium
NIST AC-3NIST AC-4NIST AC-5NIST AC-21CSF PR.AC-4CSF PR.AC-5CSF PR.DS-5ISO27001 A.5.3ISO27001 A.5.10ISO27001 A.5.13SOC2 CC6.1SOC2 CC6.7GDPR Art.32FINRA 3110FINRA 5270GLBA Section 501

Intune(10)

VT-CP.001

Should have at least one Windows compliance policy

high
CIS 5.2.2SOC2 CC6.1SOC2 CC7.2NIST CM-2NIST CM-8NIST AC-19ISO27001 A.5.14ISO27001 A.5.9ISO27001 A.7.9ISO27001 A.8.1ISO27001 A.8.9CSF DE.AE-1CSF DE.CM-7CSF ID.AM-1CSF ID.AM-2CSF PR.AC-3CSF PR.DS-3CSF PR.DS-7CSF PR.IP-1GDPR Art.25GDPR Art.32GDPR Art.5(1)(f)405D 2.M.A
VT-CP.002

Should have at least one iOS compliance policy

high
CIS 5.2.2SOC2 CC6.1NIST CM-2NIST AC-19ISO27001 A.5.14ISO27001 A.7.9ISO27001 A.8.1ISO27001 A.8.9CSF DE.AE-1CSF PR.AC-3CSF PR.DS-7CSF PR.IP-1GDPR Art.25GDPR Art.32GDPR Art.5(1)(f)405D 2.M.A
VT-CP.003

Should have at least one Android compliance policy

high
CIS 5.2.2SOC2 CC6.1NIST CM-2NIST AC-19ISO27001 A.5.14ISO27001 A.7.9ISO27001 A.8.1ISO27001 A.8.9CSF DE.AE-1CSF PR.AC-3CSF PR.DS-7CSF PR.IP-1GDPR Art.25GDPR Art.32GDPR Art.5(1)(f)405D 2.M.A
VT-CP.004

Should have at least one macOS compliance policy

high
VT CP.004405D 2.M.A
VT-CP.005

All compliance policies should have assignments

high
VT CP.005405D 2.M.A
VT-CP.006

All compliance policies should have descriptions

medium
VT CP.006405D 2.M.A
VT-CP.007

No compliance policies should be named with default or copy patterns

medium
VT CP.007405D 2.M.A
VT-CP.008

Windows policies should require BitLocker encryption

high
VT CP.008405D 2.M.A
VT-CP.009

Windows policies should require minimum OS version

high
VT CP.009
VT-CP.010

Windows policies should require password

high
VT CP.010405D 2.M.A

SharePoint(6)

VT-COPILOT-002

Everyone Except External Users (EEEU) hidden at SharePoint tenant level

critical
Auto-remediable
Copilot Pre-DeploymentNIST AC-3NIST AC-6CSF PR.AC-4CSF PR.DS-5ISO27001 A.5.15ISO27001 A.8.3SOC2 CC6.1
VT-COPILOT-004

Restricted SharePoint Search enabled during Copilot deployment window

critical
Auto-remediable
Copilot Pre-DeploymentNIST AC-3NIST AC-4CSF PR.AC-4CSF PR.DS-5ISO27001 A.5.15SOC2 CC6.1
VT-COPILOT-005

Restricted Content Discovery configured on high-risk SharePoint sites

critical
Auto-remediable
Copilot Pre-DeploymentNIST AC-3NIST AC-4CSF PR.AC-4CSF PR.DS-5ISO27001 A.5.15ISO27001 A.8.3SOC2 CC6.1
VT-COPILOT-006

SAM site access reviews initiated for sites flagged by oversharing reports

critical
Copilot Pre-DeploymentNIST AC-2NIST AC-6CSF PR.AC-4CSF PR.DS-5ISO27001 A.5.15ISO27001 A.5.18SOC2 CC6.1SOC2 CC6.3
VT-COPILOT-007

SAM Inactive Site Policy in Active mode

high
Copilot Pre-DeploymentNIST CM-8NIST SI-12CSF ID.AM-1ISO27001 A.5.9SOC2 CC6.1
VT-COPILOT-008

SAM Site Ownership policy active and ownerless sites at zero

high
Copilot Pre-DeploymentNIST AC-2NIST CM-8CSF ID.AM-1CSF PR.AC-4ISO27001 A.5.15ISO27001 A.5.9SOC2 CC6.1

Copilot(1)

VT-COPILOT-015

Copilot agents governed by an explicit allow-list

medium
Copilot Pre-DeploymentNIST AC-3NIST CM-7CSF PR.AC-4ISO27001 A.5.15SOC2 CC6.1