AzPolicyAdvertizer

last sync: 2024-Jul-26 18:17:39 UTC

Isolate information spills | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Isolate information spills

22457e81-3ec6-5271-a786-c3ca284601dd

Version

1.1.0
Details on versioning

Category

Regulatory Compliance
Microsoft Learn

Description

CMA_0346 - Isolate information spills

Additional metadata

Name/Id: CMA_0346 / CMA_0346
Category: Operational
Title: Isolate information spills
Ownership: Customer
Description: Microsoft recommends that your organization isolate any contaminated information system or system component involved in an information spill. Your organization should consider creating and maintaining an overall security incident response plan. Incidents of data spillage may occur at any time. Therefore, you should be prepared to deal with these incidents immediately. It is recommended that you identify and document the steps that the organization follows in spillage scenarios to access, identify, and delete data. Automate manual repetitive tasks to speed up response time and reduce the burden on analysts. Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays, and degrades the ability of analysts to focus effectively on complex tasks. Use workflow automation features in Azure Security Center and Azure Sentinel to automatically trigger actions or run a playbook to respond to incoming security alerts. The playbook takes actions, such as sending notifications, disabling accounts, and isolating problematic networks. Learn more: https://docs.microsoft.com/security/benchmark/azure/security-controls-v2-incident-response#ir-6-containment-eradication-and-recovery--automate-the-incident-handling https://docs.microsoft.com/azure/security-center/workflow-automation https://docs.microsoft.com/azure/security-center/tutorial-security-incident#triage-security-alerts
Requirements: The customer is responsible for implementing this recommendation.

Mode

All

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Manual
Allowed
Manual, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (1)
Microsoft.Resources/subscriptions

Compliance

The following 4 compliance controls are associated with this Policy definition 'Isolate information spills' (22457e81-3ec6-5271-a786-c3ca284601dd)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
FedRAMP_High_R4	IR-9	FedRAMP_High_R4_IR-9	FedRAMP High IR-9	Incident Response	Information Spillage Response	Shared	n/a	The organization responds to information spills by: a. Identifying the specific information involved in the information system contamination; b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; c. Isolating the contaminated information system or system component; d. Eradicating the information from the contaminated information system or component; e. Identifying other information systems or system components that may have been subsequently contaminated; and f. Performing other [Assignment: organization-defined actions]. Supplemental Guidance: Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. References: None.	link	7
FedRAMP_Moderate_R4	IR-9	FedRAMP_Moderate_R4_IR-9	FedRAMP Moderate IR-9	Incident Response	Information Spillage Response	Shared	n/a	The organization responds to information spills by: a. Identifying the specific information involved in the information system contamination; b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; c. Isolating the contaminated information system or system component; d. Eradicating the information from the contaminated information system or component; e. Identifying other information systems or system components that may have been subsequently contaminated; and f. Performing other [Assignment: organization-defined actions]. Supplemental Guidance: Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. References: None.	link	7
NIST_SP_800-53_R4	IR-9	NIST_SP_800-53_R4_IR-9	NIST SP 800-53 Rev. 4 IR-9	Incident Response	Information Spillage Response	Shared	n/a	The organization responds to information spills by: a. Identifying the specific information involved in the information system contamination; b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; c. Isolating the contaminated information system or system component; d. Eradicating the information from the contaminated information system or component; e. Identifying other information systems or system components that may have been subsequently contaminated; and f. Performing other [Assignment: organization-defined actions]. Supplemental Guidance: Information spillage refers to instances where either classified or sensitive information is inadvertently placed on information systems that are not authorized to process such information. Such information spills often occur when information that is initially thought to be of lower sensitivity is transmitted to an information system and then is subsequently determined to be of higher sensitivity. At that point, corrective action is required. The nature of the organizational response is generally based upon the degree of sensitivity of the spilled information (e.g., security category or classification level), the security capabilities of the information system, the specific nature of contaminated storage media, and the access authorizations (e.g., security clearances) of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated. References: None.	link	7
NIST_SP_800-53_R5	IR-9	NIST_SP_800-53_R5_IR-9	NIST SP 800-53 Rev. 5 IR-9	Incident Response	Information Spillage Response	Shared	n/a	Respond to information spills by: a. Assigning [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills; b. Identifying the specific information involved in the system contamination; c. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill; d. Isolating the contaminated system or system component; e. Eradicating the information from the contaminated system or component; f. Identifying other systems or system components that may have been subsequently contaminated; and g. Performing the following additional actions: [Assignment: organization-defined actions].	link	7

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
FedRAMP High	d5264498-16f4-418a-b659-fa7ef418175f	Regulatory Compliance	GA	BuiltIn
FedRAMP Moderate	e95f5a9f-57ad-4d03-bb0b-b1d16db93693	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 4	cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 5	179d1daa-458f-4e47-8086-2a68d0d6c38f	Regulatory Compliance	GA	BuiltIn

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-27 16:35:32	change	Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40	add	22457e81-3ec6-5271-a786-c3ca284601dd

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC