last sync: 2024-Apr-19 17:43:58 UTC

Define requirements for managing assets | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Define requirements for managing assets
Id 25a1f840-65d0-900a-43e4-bee253de04de
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0125 - Define requirements for managing assets
Additional metadata Name/Id: CMA_0125 / CMA_0125
Category: Documentation
Title: Define requirements for managing assets
Ownership: Customer
Description: Microsoft recommends that your organization define requirements for asset management including the handling of assets and selecting control measures. Your organization should consider defining secure processes, in accordance with risk assessments and client requirements, for each stage of asset handling, and restricting access to client assets to personnel responsible for tracking and managing assets. Assets should be recorded, audited, and reviewed throughout the chain of custody by using security techniques like spoiling, invisible/visible watermarking. Your organization should consider monitoring asset tracking checkpoints, such as registration, review, delivery, storage, removal, destruction, among others considered to be valuable for your organization. It is recommended to retain the asset movement transaction logs for at least one year. It is also recommended to assign unique identifiers such as barcodes or unique tracking identifiers to client assets and created media upon receipt. Microsoft recommends that your organization establish a process to log and lock assets that are delayed or returned if the shipment could not be delivered on time. Microsoft recommends your organization establish a decommissioning plan which includes impact analysis, notification to service providers, users, customers to decommission interfaces, interconnections and others, schedule, validation before archival process, license issues, removal of redundant equipment, cables and others and contract terminations, updates and staff support. Your organization should also conduct a review after decommissioning. Where an asset cannot be accounted for, your organization may consider conducting an investigation to recover the item. It is recommended to document the results of rectifying, correcting, and taking disciplinary action to avoid future incidents. It is recommended that inventory count, investigation, and further inquiry (in case asset remains missing) is carried out by different people. Your organization may notify clients of discrepancies and the results of investigations by following escalation and client notification procedure. ISO 27799 recommends specific authorizations for managing assets, data or software that contain personal health information. Your organization is recommended to determine the applicable legal and regulatory requirements for assets which have been recalled. Per the New Zealand Information Security Manual, your Organization should execute a leasing agreement for IT equipment by considering the following: - Support when the equipment needs maintenance - Control of remote maintenance, software updates and fault diagnosis - Sanitization of equipment prior to its return - Requirement for the secure disposal of the IT equipment - The Manual also requires your organization avoid adhering non-essential labels on the external surfaces of high assurance products. The Motion Picture Association (MPA) Content Security Best Practices recommend to document workflows tracking content and authorization checkpoints, including delivery (receipt/return), ingestion, movement, storage, and removal/destruction for both physical and digital content.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 8 compliance controls are associated with this Policy definition 'Define requirements for managing assets' (25a1f840-65d0-900a-43e4-bee253de04de)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PE-16 FedRAMP_High_R4_PE-16 FedRAMP High PE-16 Physical And Environmental Protection Delivery And Removal Shared n/a The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. Supplemental Guidance: Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. References: None. link 2
FedRAMP_Moderate_R4 PE-16 FedRAMP_Moderate_R4_PE-16 FedRAMP Moderate PE-16 Physical And Environmental Protection Delivery And Removal Shared n/a The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. Supplemental Guidance: Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. References: None. link 2
hipaa 0505.09m2Organizational.3-09.m hipaa-0505.09m2Organizational.3-09.m 0505.09m2Organizational.3-09.m 05 Wireless Security 0505.09m2Organizational.3-09.m 09.06 Network Security Management Shared n/a Quarterly scans are performed to identify unauthorized wireless access points, and appropriate action is taken if any unauthorized access points are discovered. 8
ISO27001-2013 A.11.1.6 ISO27001-2013_A.11.1.6 ISO 27001:2013 A.11.1.6 Physical And Environmental Security Delivering and loading areas Shared n/a Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. link 5
ISO27001-2013 A.11.2.5 ISO27001-2013_A.11.2.5 ISO 27001:2013 A.11.2.5 Physical And Environmental Security Removal of assets Shared n/a Equipment, information or software shall not be taken off-site without prior authorization. link 6
ISO27001-2013 A.8.2.3 ISO27001-2013_A.8.2.3 ISO 27001:2013 A.8.2.3 Asset Management Handling of assets Shared n/a Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 26
NIST_SP_800-53_R4 PE-16 NIST_SP_800-53_R4_PE-16 NIST SP 800-53 Rev. 4 PE-16 Physical And Environmental Protection Delivery And Removal Shared n/a The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. Supplemental Guidance: Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. References: None. link 2
NIST_SP_800-53_R5 PE-16 NIST_SP_800-53_R5_PE-16 NIST SP 800-53 Rev. 5 PE-16 Physical and Environmental Protection Delivery and Removal Shared n/a a. Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and b. Maintain records of the system components. link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 25a1f840-65d0-900a-43e4-bee253de04de
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC