last sync: 2024-Apr-24 17:46:58 UTC

Implement security directives | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Implement security directives
Id 26d178a4-9261-6f04-a100-47ed85314c6e
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1706 - Implement security directives
Additional metadata Name/Id: CMA_C1706 / CMA_C1706
Category: Operational
Title: Implement security directives
Ownership: Customer
Description: The customer is responsible for implementing security directives in accordance with established time frames, or notifying the issuing organization of the degree of noncompliance.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 8 compliance controls are associated with this Policy definition 'Implement security directives' (26d178a4-9261-6f04-a100-47ed85314c6e)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SI-5 FedRAMP_High_R4_SI-5 FedRAMP High SI-5 System And Information Integrity Security Alerts, Advisories, And Directives Shared n/a The organization: a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b. Generates internal security alerts, advisories, and directives as deemed necessary; c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. Supplemental Guidance: The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. References: NIST Special Publication 800-40. link 4
FedRAMP_Moderate_R4 SI-5 FedRAMP_Moderate_R4_SI-5 FedRAMP Moderate SI-5 System And Information Integrity Security Alerts, Advisories, And Directives Shared n/a The organization: a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b. Generates internal security alerts, advisories, and directives as deemed necessary; c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. Supplemental Guidance: The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. References: NIST Special Publication 800-40. link 4
hipaa 1222.09ab3System.8-09.ab hipaa-1222.09ab3System.8-09.ab 1222.09ab3System.8-09.ab 12 Audit Logging & Monitoring 1222.09ab3System.8-09.ab 09.10 Monitoring Shared n/a The organization analyzes and correlates audit records across different repositories using a security information and event management (SIEM) tool or log analytics tools for log aggregation and consolidation from multiple systems/machines/devices, and correlates this information with input from non-technical sources to gain and enhance organization-wide situational awareness. Using the SIEM tool, the organization devise profiles of common events from given systems/machines/devices so that it can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts. 10
ISO27001-2013 A.6.1.4 ISO27001-2013_A.6.1.4 ISO 27001:2013 A.6.1.4 Organization of Information Security Contact with special interest groups Shared n/a Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. link 6
NIST_SP_800-171_R2_3 .14.3 NIST_SP_800-171_R2_3.14.3 NIST SP 800-171 R2 3.14.3 System and Information Integrity Monitor system security alerts and advisories and take action in response. Shared Microsoft and the customer share responsibilities for implementing this requirement. There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. [SP 800-161] provides guidance on supply chain risk management. link 15
NIST_SP_800-53_R4 SI-5 NIST_SP_800-53_R4_SI-5 NIST SP 800-53 Rev. 4 SI-5 System And Information Integrity Security Alerts, Advisories, And Directives Shared n/a The organization: a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b. Generates internal security alerts, advisories, and directives as deemed necessary; c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. Supplemental Guidance: The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. References: NIST Special Publication 800-40. link 4
NIST_SP_800-53_R5 SI-5 NIST_SP_800-53_R5_SI-5 NIST SP 800-53 Rev. 5 SI-5 System and Information Integrity Security Alerts, Advisories, and Directives Shared n/a a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (OneOrMore): [Assignment: organization-defined personnel or roles] ; [Assignment: organization-defined elements within the organization] ; [Assignment: organization-defined external organizations] ] ; and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. link 4
PCI_DSS_v4.0 6.3.1 PCI_DSS_v4.0_6.3.1 PCI DSS v4.0 6.3.1 Requirement 06: Develop and Maintain Secure Systems and Software Security vulnerabilities are identified and addressed Shared n/a Security vulnerabilities are identified and managed as follows: • New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). • Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact. • Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment. • Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered. link 4
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 26d178a4-9261-6f04-a100-47ed85314c6e
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC