last sync: 2024-Oct-03 17:51:34 UTC

Establish alternate storage site to store and retrieve backup information | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Establish alternate storage site to store and retrieve backup information
Id 0a412110-3874-9f22-187a-c7a81c8a6704
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1267 - Establish alternate storage site to store and retrieve backup information
Additional metadata Name/Id: CMA_C1267 / CMA_C1267
Category: Operational
Title: Establish alternate storage site to store and retrieve backup information
Ownership: Customer
Description: The customer is responsible for establishing an alternate storage site with the ability to store and retrieve backup information, and the agreements permitting such activities. Note: if the customer configures Microsoft Azure appropriately for reserving storage capacity in an alternate region, Azure can support the secure storage and retrieval of system data.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 21 compliance controls are associated with this Policy definition 'Establish alternate storage site to store and retrieve backup information' (0a412110-3874-9f22-187a-c7a81c8a6704)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CP-6 FedRAMP_High_R4_CP-6 FedRAMP High CP-6 Contingency Planning Alternate Storage Site Shared n/a The organization: a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4. References: NIST Special Publication 800-34. link 7
FedRAMP_Moderate_R4 CP-6 FedRAMP_Moderate_R4_CP-6 FedRAMP Moderate CP-6 Contingency Planning Alternate Storage Site Shared n/a The organization: a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4. References: NIST Special Publication 800-34. link 7
hipaa 0947.09y2Organizational.2-09.y hipaa-0947.09y2Organizational.2-09.y 0947.09y2Organizational.2-09.y 09 Transmission Protection 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services Shared n/a The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. 11
hipaa 1604.12c2Organizational.16789-12.c hipaa-1604.12c2Organizational.16789-12.c 1604.12c2Organizational.16789-12.c 16 Business Continuity & Disaster Recovery 1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management Shared n/a Alternative storage and processing sites are identified (permanent and/or temporary) at a sufficient distance from the primary facility and configured with security measures equivalent to the primary site, and the necessary third-party service agreements have been established to allow for the resumption of information systems operations of critical business functions within the time period defined (e.g., priority of service provisions) based on a risk assessment, including Recovery Time Objectives (RTO), in accordance with the organization's availability requirements. 6
hipaa 1618.09l1Organizational.45-09.l hipaa-1618.09l1Organizational.45-09.l 1618.09l1Organizational.45-09.l 16 Business Continuity & Disaster Recovery 1618.09l1Organizational.45-09.l 09.05 Information Back-Up Shared n/a The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. 7
hipaa 1668.12d1Organizational.67-12.d hipaa-1668.12d1Organizational.67-12.d 1668.12d1Organizational.67-12.d 16 Business Continuity & Disaster Recovery 1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management Shared n/a Emergency procedures, manual "fallback" procedures, and resumption plans are the responsibility of the owner of the business resources or processes involved; and fallback arrangements for alternative technical services, such as information processing and communications facilities, are the responsibility of the service providers. 4
ISO27001-2013 A.11.1.4 ISO27001-2013_A.11.1.4 ISO 27001:2013 A.11.1.4 Physical And Environmental Security Protecting against external and environmental threats Shared n/a Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. link 9
ISO27001-2013 A.17.1.2 ISO27001-2013_A.17.1.2 ISO 27001:2013 A.17.1.2 Information Security Aspects Of Business Continuity Management Implementing information security continuity Shared n/a The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. link 18
ISO27001-2013 A.17.2.1 ISO27001-2013_A.17.2.1 ISO 27001:2013 A.17.2.1 Information Security Aspects Of Business Continuity Management Availability of information processing facilities Shared n/a Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. link 17
mp.eq.3 Protection of portable devices mp.eq.3 Protection of portable devices 404 not found n/a n/a 71
mp.eq.4 Other devices connected to the network mp.eq.4 Other devices connected to the network 404 not found n/a n/a 35
mp.if.1 Separate areas with access control mp.if.1 Separate areas with access control 404 not found n/a n/a 23
mp.if.3 Fitting-out of premises mp.if.3 Fitting-out of premises 404 not found n/a n/a 18
mp.if.5 Fire protection mp.if.5 Fire protection 404 not found n/a n/a 16
mp.if.6 Flood protection mp.if.6 Flood protection 404 not found n/a n/a 16
NIST_SP_800-53_R4 CP-6 NIST_SP_800-53_R4_CP-6 NIST SP 800-53 Rev. 4 CP-6 Contingency Planning Alternate Storage Site Shared n/a The organization: a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. Supplemental Guidance: Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-7, CP-9, CP-10, MP-4. References: NIST Special Publication 800-34. link 7
NIST_SP_800-53_R5 CP-6 NIST_SP_800-53_R5_CP-6 NIST SP 800-53 Rev. 5 CP-6 Contingency Planning Alternate Storage Site Shared n/a a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. link 7
op.cont.3 Periodic tests op.cont.3 Periodic tests 404 not found n/a n/a 91
op.cont.4 Alternative means op.cont.4 Alternative means 404 not found n/a n/a 95
op.exp.3 Security configuration management op.exp.3 Security configuration management 404 not found n/a n/a 123
SWIFT_CSCF_v2022 9.2 SWIFT_CSCF_v2022_9.2 SWIFT CSCF v2022 9.2 9. Ensure Availability through Resilience Providers must ensure that the service remains available for customers in the event of a site disaster. Shared n/a Providers must ensure that the service remains available for customers in the event of a site disaster. link 13
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 0a412110-3874-9f22-187a-c7a81c8a6704
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC