last sync: 2024-Apr-19 17:43:58 UTC

Conduct risk assessment and document its results | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Conduct risk assessment and document its results
Id 1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1542 - Conduct risk assessment and document its results
Additional metadata Name/Id: CMA_C1542 / CMA_C1542
Category: Documentation
Title: Conduct risk assessment and document its results
Ownership: Customer
Description: The customer is responsible for conducting a risk assessment and documenting the risk assessment results in the security plan, risk assessment report, and/or other customer-defined document.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 19 compliance controls are associated with this Policy definition 'Conduct risk assessment and document its results' (1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 RA-3 FedRAMP_High_R4_RA-3 FedRAMP High RA-3 Risk Assessment Risk Assessment Shared n/a The organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results [Assignment: organization-defined frequency]; d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. Control Enhancements: None. References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov. link 4
FedRAMP_Moderate_R4 RA-3 FedRAMP_Moderate_R4_RA-3 FedRAMP Moderate RA-3 Risk Assessment Risk Assessment Shared n/a The organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results [Assignment: organization-defined frequency]; d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. Control Enhancements: None. References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov. link 4
hipaa 0121.05a2Organizational.12-05.a hipaa-0121.05a2Organizational.12-05.a 0121.05a2Organizational.12-05.a 01 Information Protection Program 0121.05a2Organizational.12-05.a 05.01 Internal Organization Shared n/a The organization's information protection and risk management programs, including the risk assessment process, are formally approved, and are reviewed for effectiveness and updated annually. 6
hipaa 0125.05a3Organizational.2-05.a hipaa-0125.05a3Organizational.2-05.a 0125.05a3Organizational.2-05.a 01 Information Protection Program 0125.05a3Organizational.2-05.a 05.01 Internal Organization Shared n/a Annual risk assessments are performed by an independent organization. 8
hipaa 069.06g2Organizational.56-06.g hipaa-069.06g2Organizational.56-06.g 069.06g2Organizational.56-06.g 06 Configuration Management 069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a The internal security organization reviews and maintains records of compliance results (e.g., organization-defined metrics) in order to better track security trends within the organization, respond to the results of correlation and analysis, and address longer term areas of concern as part of its formal risk assessment process. 7
hipaa 0824.09m3Organizational.1-09.m hipaa-0824.09m3Organizational.1-09.m 0824.09m3Organizational.1-09.m 08 Network Protection 0824.09m3Organizational.1-09.m 09.06 Network Security Management Shared n/a The impact of the loss of network service to the business is defined. 10
hipaa 1637.12b2Organizational.2-12.b hipaa-1637.12b2Organizational.2-12.b 1637.12b2Organizational.2-12.b 16 Business Continuity & Disaster Recovery 1637.12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a Business impact analyses are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. 8
hipaa 17126.03c1System.6-03.c hipaa-17126.03c1System.6-03.c 17126.03c1System.6-03.c 17 Risk Management 17126.03c1System.6-03.c 03.01 Risk Management Program Shared n/a The organization has implemented an integrated control system characterized using different control types (e.g., layered, preventative, detective, corrective, and compensating) that mitigates identified risks. 3
hipaa 1733.03d1Organizational.1-03.d hipaa-1733.03d1Organizational.1-03.d 1733.03d1Organizational.1-03.d 17 Risk Management 1733.03d1Organizational.1-03.d 03.01 Risk Management Program Shared n/a The risk management program includes the requirement that risk assessments be re-evaluated at least annually, or when there are significant changes in the environment. 3
hipaa 1736.03d2Organizational.4-03.d hipaa-1736.03d2Organizational.4-03.d 1736.03d2Organizational.4-03.d 17 Risk Management 1736.03d2Organizational.4-03.d 03.01 Risk Management Program Shared n/a The organization updates the risk assessment before issuing a new formal authorization to operate or within every three years, whichever comes first, or when conditions occur that may impact the security or authorization state of the system. 1
hipaa 1737.03d2Organizational.5-03.d hipaa-1737.03d2Organizational.5-03.d 1737.03d2Organizational.5-03.d 17 Risk Management 1737.03d2Organizational.5-03.d 03.01 Risk Management Program Shared n/a The privacy, security and risk management program(s) is/are updated to reflect changes in risks. 4
ISO27001-2013 A.12.6.1 ISO27001-2013_A.12.6.1 ISO 27001:2013 A.12.6.1 Operations Security Management of technical vulnerabilities Shared n/a Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. link 13
ISO27001-2013 C.8.2 ISO27001-2013_C.8.2 ISO 27001:2013 C.8.2 Operation Information security risk assessment Shared n/a The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). The organization shall retain documented information of the results of the information security risk assessments. link 3
NIST_SP_800-53_R4 RA-3 NIST_SP_800-53_R4_RA-3 NIST SP 800-53 Rev. 4 RA-3 Risk Assessment Risk Assessment Shared n/a The organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results [Assignment: organization-defined frequency]; d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. Control Enhancements: None. References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web:idmanagement.gov. link 4
NIST_SP_800-53_R5 RA-3 NIST_SP_800-53_R5_RA-3 NIST SP 800-53 Rev. 5 RA-3 Risk Assessment Risk Assessment Shared n/a a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system; 2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c. Document risk assessment results in [Selection: security and privacy plans;risk assessment report; [Assignment: organization-defined document] ] ; d. Review risk assessment results [Assignment: organization-defined frequency]; e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. link 4
PCI_DSS_v4.0 12.3.1 PCI_DSS_v4.0_12.3.1 PCI DSS v4.0 12.3.1 Requirement 12: Support Information Security with Organizational Policies and Programs Risks to the cardholder data environment are formally identified, evaluated, and managed Shared n/a Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented and includes: • Identification of the assets being protected. • Identification of the threat(s) that the requirement is protecting against. • Identification of factors that contribute to the likelihood and/or impact of a threat being realized. • Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized. • Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed. • Performance of updated risk analyses when needed, as determined by the annual review. link 4
PCI_DSS_v4.0 12.3.2 PCI_DSS_v4.0_12.3.2 PCI DSS v4.0 12.3.2 Requirement 12: Support Information Security with Organizational Policies and Programs Risks to the cardholder data environment are formally identified, evaluated, and managed Shared n/a A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach, to include: • Documented evidence detailing each element specified in Appendix D: Customized Approach (including, at a minimum, a controls matrix and risk analysis). • Approval of documented evidence by senior management. • Performance of the targeted analysis of risk at least once every 12 months. link 4
PCI_DSS_v4.0 5.2.3.1 PCI_DSS_v4.0_5.2.3.1 PCI DSS v4.0 5.2.3.1 Requirement 05: Protect All Systems and Networks from Malicious Software Malicious software (malware) is prevented, or detected and addressed Shared n/a The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. link 3
SWIFT_CSCF_v2022 7.4A SWIFT_CSCF_v2022_7.4A SWIFT CSCF v2022 7.4A 7. Plan for Incident Response and Information Sharing Evaluate the risk and readiness of the organisation based on plausible cyber-attack scenarios. Shared n/a Scenario-based risk assessments are conducted regularly to improve incident response preparedness and to increase the maturity of the organisation’s security programme. link 7
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC