last sync: 2023-Jun-07 17:44:43 UTC

Azure Policy definition

Assess risk in third party relationships

Name Assess risk in third party relationships
Azure Portal
Id 0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0014 - Assess risk in third party relationships
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 21 compliance controls are associated with this Policy definition 'Assess risk in third party relationships' (0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-12 FedRAMP_High_R4_SA-12 FedRAMP High SA-12 System And Services Acquisition Supply Chain Protection Shared n/a The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. Supplemental Guidance: Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR- 4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7. References: NIST Special Publication 800-161; NIST Interagency Report 7622. link 4
FedRAMP_High_R4 SA-9(1) FedRAMP_High_R4_SA-9(1) FedRAMP High SA-9 (1) System And Services Acquisition Risk Assessments / Organizational Approvals Shared n/a The organization: (a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. link 2
FedRAMP_Moderate_R4 SA-9(1) FedRAMP_Moderate_R4_SA-9(1) FedRAMP Moderate SA-9 (1) System And Services Acquisition Risk Assessments / Organizational Approvals Shared n/a The organization: (a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. link 2
hipaa 1450.05i2Organizational.2-05.i hipaa-1450.05i2Organizational.2-05.i 1450.05i2Organizational.2-05.i 14 Third Party Assurance 1450.05i2Organizational.2-05.i 05.02 External Parties Shared n/a The organization obtains satisfactory assurances that reasonable information security exists across its information supply chain by performing an annual review, which includes all partners/third-party providers upon which their information supply chain depends. 10
hipaa 1451.05iCSPOrganizational.2-05.i hipaa-1451.05iCSPOrganizational.2-05.i 1451.05iCSPOrganizational.2-05.i 14 Third Party Assurance 1451.05iCSPOrganizational.2-05.i 05.02 External Parties Shared n/a Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. 21
hipaa 1453.05kCSPOrganizational.2-05.k hipaa-1453.05kCSPOrganizational.2-05.k 1453.05kCSPOrganizational.2-05.k 14 Third Party Assurance 1453.05kCSPOrganizational.2-05.k 05.02 External Parties Shared n/a Supply chain agreements (e.g., SLAs) between cloud service providers and customers (tenants) incorporate at least the following mutually-agreed upon provisions and/or terms: (i) scope of business relationship and services offered, data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations; (ii) information security requirements, points of contact, and references to detailed supporting and relevant business processes and technical measures implemented; (iii) notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts; (iv) timely notification of a security incident to all customers (tenants) and other business relationships impacted; (v) assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed; (vi) expiration of the business relationship and treatment of customer (tenant) data impacted; and, (vii) customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence. 10
hipaa 1454.05kCSPOrganizational.3-05.k hipaa-1454.05kCSPOrganizational.3-05.k 1454.05kCSPOrganizational.3-05.k 14 Third Party Assurance 1454.05kCSPOrganizational.3-05.k 05.02 External Parties Shared n/a Service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream) are reviewed consistently and no less than annually to identify any non-conformance to established agreements. The reviews result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships. 8
hipaa 17120.10a3Organizational.5-10.a hipaa-17120.10a3Organizational.5-10.a 17120.10a3Organizational.5-10.a 17 Risk Management 17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems Shared n/a The organization documents all existing outsourced information services and conducts an organizational assessment of risk prior to the acquisition or outsourcing of information services. 10
ISO27001-2013 A.14.2.7 ISO27001-2013_A.14.2.7 ISO 27001:2013 A.14.2.7 System Acquisition, Development And Maintenance Outsourced development Shared n/a The organization shall supervise and monitor the activity of outsourced system development. link 28
ISO27001-2013 A.15.1.1 ISO27001-2013_A.15.1.1 ISO 27001:2013 A.15.1.1 Supplier Relationships Information security policy for supplier relationships Shared n/a Information security requirements for mitigating the risks associated with supplier's access to the organization's assets shall be agreed with the supplier and documented. link 6
ISO27001-2013 A.15.1.2 ISO27001-2013_A.15.1.2 ISO 27001:2013 A.15.1.2 Supplier Relationships Addressing security within supplier agreement Shared n/a All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. link 24
ISO27001-2013 A.15.1.3 ISO27001-2013_A.15.1.3 ISO 27001:2013 A.15.1.3 Supplier Relationships Information and communication technology supply chain Shared n/a Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. link 4
NIST_SP_800-171_R2_3 .11.1 NIST_SP_800-171_R2_3.11.1 NIST SP 800-171 R2 3.11.1 Risk Assessment Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI Shared Microsoft and the customer share responsibilities for implementing this requirement. Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization, individuals accessing organizational systems, outsourcing entities). Risk assessments, either formal or informal, can be conducted at the organization level, the mission or business process level, or the system level, and at any phase in the system development life cycle. [SP 800-30] provides guidance on conducting risk assessments. link 2
NIST_SP_800-53_R4 SA-12 NIST_SP_800-53_R4_SA-12 NIST SP 800-53 Rev. 4 SA-12 System And Services Acquisition Supply Chain Protection Shared n/a The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. Supplemental Guidance: Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR- 4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7. References: NIST Special Publication 800-161; NIST Interagency Report 7622. link 4
NIST_SP_800-53_R4 SA-9(1) NIST_SP_800-53_R4_SA-9(1) NIST SP 800-53 Rev. 4 SA-9 (1) System And Services Acquisition Risk Assessments / Organizational Approvals Shared n/a The organization: (a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. link 2
NIST_SP_800-53_R5 SA-9(1) NIST_SP_800-53_R5_SA-9(1) NIST SP 800-53 Rev. 5 SA-9 (1) System and Services Acquisition Risk Assessments and Organizational Approvals Shared n/a (a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (b) Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. link 2
PCI_DSS_v4.0 12.8.3 PCI_DSS_v4.0_12.8.3 PCI DSS v4.0 12.8.3 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. link 5
PCI_DSS_v4.0 12.8.4 PCI_DSS_v4.0_12.8.4 PCI DSS v4.0 12.8.4 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. link 8
SOC_2 CC3.4 SOC_2_CC3.4 SOC 2 Type 2 CC3.4 Risk Assessment COSO Principle 9 Shared The customer is responsible for implementing this recommendation. • Assesses Changes in the External Environment — The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates. • Assesses Changes in the Business Model — The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies. • Assesses Changes in Leadership — The entity considers changes in management and respective attitudes and philosophies on the system of internal control. Page 25 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS Additional point of focus specifically related to all engagements using the trust services criteria: • Assesses Changes in Systems and Technology — The risk identification process considers changes arising from changes in the entity’s systems and changes in the technology environment. • Assesses Changes in Vendor and Business Partner Relationships — The risk identification process considers changes in vendor and business partner relationships 6
SOC_2 CC9.2 SOC_2_CC9.2 SOC 2 Type 2 CC9.2 Risk Mitigation Vendors and business partners risk management Shared The customer is responsible for implementing this recommendation. Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. • Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives. • Assigns Responsibility and Accountability for Managing Vendors and Business Partners — The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. • Establishes Communication Protocols for Vendors and Business Partners — The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners. • Establishes Exception Handling Procedures From Vendors and Business Partners — The entity establishes exception handling procedures for service or product issues related to vendors and business partners. • Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners. • Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships. • Implements Procedures for Terminating Vendor and Business Partner Relationships — The entity implements procedures for terminating vendor and business partner relationships. Additional points of focus that apply only to an engagement using the trust services criteria for confidentiality: • Obtains Confidentiality Commitments from Vendors and Business Partners — The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information. • Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements. Additional points of focus that apply only to an engagement using the trust services criteria for privacy: • Obtains Privacy Commitments from Vendors and Business Partners — The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information. • Assesses Compliance with Privacy Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary 20
SWIFT_CSCF_v2022 2.8.5 SWIFT_CSCF_v2022_2.8.5 SWIFT CSCF v2022 2.8.5 2. Reduce Attack Surface and Vulnerabilities Ensure a consistent and effective approach for the customers’ messaging monitoring. Shared n/a Ensure a consistent and effective approach for the customers’ messaging monitoring. link 8
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON