last sync: 2023-Jun-02 17:44:47 UTC

Azure Policy definition

Review development process, standards and tools

Name Review development process, standards and tools
Azure Portal
Id 1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_C1610 - Review development process, standards and tools
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 10 compliance controls are associated with this Policy definition 'Review development process, standards and tools' (1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-15 FedRAMP_High_R4_SA-15 FedRAMP High SA-15 System And Services Acquisition Development Process, Standards, And Tools Shared n/a The organization: a. Requires the developer of the information system, system component, or information system service to follow a documented development process that: 1. Explicitly addresses security requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization- defined security requirements]. Supplemental Guidance: Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. References: None. link 1
hipaa 0635.10k1Organizational.12-10.k hipaa-0635.10k1Organizational.12-10.k 0635.10k1Organizational.12-10.k 06 Configuration Management 0635.10k1Organizational.12-10.k 10.05 Security In Development and Support Processes Shared n/a Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment. 9
hipaa 0641.10k2Organizational.11-10.k hipaa-0641.10k2Organizational.11-10.k 0641.10k2Organizational.11-10.k 06 Configuration Management 0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes Shared n/a The organization does not use automated updates on critical systems. 13
hipaa 1790.10a2Organizational.45-10.a hipaa-1790.10a2Organizational.45-10.a 1790.10a2Organizational.45-10.a 17 Risk Management 1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems Shared n/a The organization includes business requirements for the availability of information systems when specifying the security requirements; and, where availability cannot be guaranteed using existing architectures, redundant components or architectures are considered along with the risks associated with implementing such redundancies. 6
ISO27001-2013 A.14.1.1 ISO27001-2013_A.14.1.1 ISO 27001:2013 A.14.1.1 System Acquisition, Development And Maintenance Information security requirements analysis and specification Shared n/a The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. link 24
ISO27001-2013 A.14.2.1 ISO27001-2013_A.14.2.1 ISO 27001:2013 A.14.2.1 System Acquisition, Development And Maintenance Secure development policy Shared n/a Rules for the development of software and systems shall be established and applied to developments within the organization. link 7
ISO27001-2013 A.14.2.5 ISO27001-2013_A.14.2.5 ISO 27001:2013 A.14.2.5 System Acquisition, Development And Maintenance Secure system engineering principles Shared n/a Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. link 5
ISO27001-2013 A.6.1.5 ISO27001-2013_A.6.1.5 ISO 27001:2013 A.6.1.5 Organization of Information Security Information security in project management Shared n/a Information security shall be addressed in project management, regardless of the type of the project. link 25
NIST_SP_800-53_R4 SA-15 NIST_SP_800-53_R4_SA-15 NIST SP 800-53 Rev. 4 SA-15 System And Services Acquisition Development Process, Standards, And Tools Shared n/a The organization: a. Requires the developer of the information system, system component, or information system service to follow a documented development process that: 1. Explicitly addresses security requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization- defined security requirements]. Supplemental Guidance: Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. References: None. link 1
NIST_SP_800-53_R5 SA-15 NIST_SP_800-53_R5_SA-15 NIST SP 800-53 Rev. 5 SA-15 System and Services Acquisition Development Process, Standards, and Tools Shared n/a a. Require the developer of the system, system component, or system service to follow a documented development process that: 1. Explicitly addresses security and privacy requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements]. link 1
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
JSON