last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Develop business classification schemes

Name Develop business classification schemes
Azure Portal
Id 11ba0508-58a8-44de-5f3a-9e05d80571da
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0155 - Develop business classification schemes
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 9 compliance controls are associated with this Policy definition 'Develop business classification schemes' (11ba0508-58a8-44de-5f3a-9e05d80571da)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 RA-2 FedRAMP_High_R4_RA-2 FedRAMP High RA-2 Risk Assessment Security Categorization Shared n/a The organization: a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. Control Enhancements: None. References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. link 4
FedRAMP_Moderate_R4 RA-2 FedRAMP_Moderate_R4_RA-2 FedRAMP Moderate RA-2 Risk Assessment Security Categorization Shared n/a The organization: a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. Control Enhancements: None. References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. link 4
hipaa 0901.09s1Organizational.1-09.s hipaa-0901.09s1Organizational.1-09.s 0901.09s1Organizational.1-09.s 09 Transmission Protection 0901.09s1Organizational.1-09.s 09.08 Exchange of Information Shared n/a The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. 31
hipaa 19143.06c1Organizational.9-06.c hipaa-19143.06c1Organizational.9-06.c 19143.06c1Organizational.9-06.c 19 Data Protection & Privacy 19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements Shared n/a Designated senior management within the organization reviews and approves the security categorizations and associated guidelines. 6
ISO27001-2013 A.8.2.1 ISO27001-2013_A.8.2.1 ISO 27001:2013 A.8.2.1 Asset Management Classification of information Shared n/a Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. link 5
NIST_SP_800-53_R4 RA-2 NIST_SP_800-53_R4_RA-2 NIST SP 800-53 Rev. 4 RA-2 Risk Assessment Security Categorization Shared n/a The organization: a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. Control Enhancements: None. References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. link 4
NIST_SP_800-53_R5 RA-2 NIST_SP_800-53_R5_RA-2 NIST SP 800-53 Rev. 5 RA-2 Risk Assessment Security Categorization Shared n/a a. Categorize the system and information it processes, stores, and transmits; b. Document the security categorization results, including supporting rationale, in the security plan for the system; and c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. link 4
SOC_2 CC3.1 SOC_2_CC3.1 SOC 2 Type 2 CC3.1 Risk Assessment COSO Principle 6 Shared The customer is responsible for implementing this recommendation. • Reflects Management's Choices — Operations objectives reflect management's choices about structure, industry considerations, and performance of the entity. • Considers Tolerances for Risk — Management considers the acceptable levels of variation relative to the achievement of operations objectives. • Includes Operations and Financial Performance Goals — The organization reflects the desired level of operations and financial performance for the entity within operations objectives. • Forms a Basis for Committing of Resources — Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance. External Financial Reporting Objectives • Complies With Applicable Accounting Standards — Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances. • Considers Materiality — Management considers materiality in financial statement presentation. • Reflects Entity Activities — External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions. External Nonfinancial Reporting Objectives • Complies With Externally Established Frameworks — Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations. • Considers the Required Level of Precision — Management reflects the required level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting. • Reflects Entity Activities — External reporting reflects the underlying transactions and events within a range of acceptable limits. Internal Reporting Objectives • Reflects Management's Choices — Internal reporting provides management with accurate and complete information regarding management's choices and information Page 22 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS needed in managing the entity. • Considers the Required Level of Precision — Management reflects the required level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives. • Reflects Entity Activities — Internal reporting reflects the underlying transactions and events within a range of acceptable limits. Compliance Objectives • Reflects External Laws and Regulations — Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives. • Considers Tolerances for Risk — Management considers the acceptable levels of variation relative to the achievement of operations objectives 7
SOC_2 CC3.2 SOC_2_CC3.2 SOC 2 Type 2 CC3.2 Risk Assessment COSO Principle 7 Shared The customer is responsible for implementing this recommendation. Points of focus specified in the COSO framework: • Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels — The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives. • Analyzes Internal and External Factors — Risk identification considers both internal and external factors and their impact on the achievement of objectives. • Involves Appropriate Levels of Management — The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management. • Estimates Significance of Risks Identified — Identified risks are analyzed through a process that includes estimating the potential significance of the risk. • Determines How to Respond to Risks — Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk. Additional points of focus specifically related to all engagements using the trust services criteria: • Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities — The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets. • Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties — The entity's risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors providing goods and services, as well as threats and vulnerabilities arising from business partners, customers, and others with access to the entity's information systems. • Considers the Significance of the Risk — The entity’s consideration of the potential significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and vulnerabilities in meeting objectives; (3) assessing the likelihood of identified threats; and (4) determining the risk associated with assets based on asset criticality, threat impact, and likelihood. 11
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 11ba0508-58a8-44de-5f3a-9e05d80571da
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
JSON
changes

JSON