last sync: 2024-Jun-14 18:20:16 UTC

Establish and maintain an asset inventory | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Establish and maintain an asset inventory
Id 27965e62-141f-8cca-426f-d09514ee5216
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0266 - Establish and maintain an asset inventory
Additional metadata Name/Id: CMA_0266 / CMA_0266
Category: Operational
Title: Establish and maintain an asset inventory
Ownership: Customer
Description: Microsoft recommends that your organization maintain an inventory to classify physical and virtual assets/system components (i.e. Hardware, devices, and software) which reflect the current system in a central repository. Microsoft recommends that your organization include a means for identifying individuals responsible for the administration of each asset/system component along with an auditable chain of custody. It is also recommended to use automated mechanisms to track the location and movement of system components within defined controlled areas / by geographic location. For maintaining devices, your organization can consider documenting the model, serial number, time/date of creation, movement or destruction and location of the device. Your organization may review and update the asset inventory on a monthly basis or when there are significant changes to the system such as installations, removals/asset recalls, and system updates. Microsoft recommends that your organization develop a data classification scheme to categorize physical assets of differing security requirements. It is also recommended that your organization develop and document an inventory of information system components that includes all components within the authorization boundary of the information system. Your organization should consider verifying that all components within the authorization boundary of the information system are not duplicated in other inventories. Your organization may consider employing automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components as well as to detect the presence of unauthorized hardware, software, and firmware components within the information system. When unauthorized components are detected, it is recommended that your organization disable network access by such components; isolate the components; and notify relevant personnel. The Payment Card Industry Data Security Standard (PCI DSS) requires organizations to maintain a list of all in-scope assets/system components within the cardholder data environment.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 34 compliance controls are associated with this Policy definition 'Establish and maintain an asset inventory' (27965e62-141f-8cca-426f-d09514ee5216)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CM-8(4) FedRAMP_High_R4_CM-8(4) FedRAMP High CM-8 (4) Configuration Management Accountability Information Shared n/a The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. Supplemental Guidance: Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated). link 2
FedRAMP_High_R4 PE-3 FedRAMP_High_R4_PE-3 FedRAMP High PE-3 Physical And Environmental Protection Physical Access Control Shared n/a The organization: a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys, combinations, and other physical access devices; f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. Supplemental Guidance: Related controls: CA-2, CA-7. link 4
FedRAMP_Moderate_R4 PE-3 FedRAMP_Moderate_R4_PE-3 FedRAMP Moderate PE-3 Physical And Environmental Protection Physical Access Control Shared n/a The organization: a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys, combinations, and other physical access devices; f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. Supplemental Guidance: Related controls: CA-2, CA-7. link 4
hipaa 0701.07a1Organizational.12-07.a hipaa-0701.07a1Organizational.12-07.a 0701.07a1Organizational.12-07.a 07 Vulnerability Management 0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets Shared n/a An inventory of assets and services is maintained. 7
hipaa 0703.07a2Organizational.1-07.a hipaa-0703.07a2Organizational.1-07.a 0703.07a2Organizational.1-07.a 07 Vulnerability Management 0703.07a2Organizational.1-07.a 07.01 Responsibility for Assets Shared n/a The inventory of all authorized assets includes the owner of the information asset, custodianship, categorizes the information asset according to criticality and information classification, and identifies protection and sustainment requirements commensurate with the asset's categorization. 3
hipaa 0704.07a3Organizational.12-07.a hipaa-0704.07a3Organizational.12-07.a 0704.07a3Organizational.12-07.a 07 Vulnerability Management 0704.07a3Organizational.12-07.a 07.01 Responsibility for Assets Shared n/a Organizational inventories of IT assets are updated during installations, removals, and system changes, with full physical inventories performed for capital assets (at least annually) and for non-capital assets. 3
hipaa 0725.07a3Organizational.5-07.a hipaa-0725.07a3Organizational.5-07.a 0725.07a3Organizational.5-07.a 07 Vulnerability Management 0725.07a3Organizational.5-07.a 07.01 Responsibility for Assets Shared n/a The organization provides an updated inventory, identifying assets with covered information (e.g., PII) to the CIO or information security official, and the senior privacy official on an organization-defined basis, but no less than annually. 3
hipaa 1192.01l1Organizational.1-01.l hipaa-1192.01l1Organizational.1-01.l 1192.01l1Organizational.1-01.l 11 Access Control 1192.01l1Organizational.1-01.l 01.04 Network Access Control Shared n/a Access to network equipment is physically protected. 5
hipaa 1193.01l2Organizational.13-01.l hipaa-1193.01l2Organizational.13-01.l 1193.01l2Organizational.13-01.l 11 Access Control 1193.01l2Organizational.13-01.l 01.04 Network Access Control Shared n/a Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port. 5
hipaa 1811.08b3Organizational.3-08.b hipaa-1811.08b3Organizational.3-08.b 1811.08b3Organizational.3-08.b 18 Physical & Environmental Security 1811.08b3Organizational.3-08.b 08.01 Secure Areas Shared n/a Combinations and keys for organization-defined high-risk entry/exit points are changed when lost or stolen or combinations are compromised. 4
hipaa 1845.08b1Organizational.7-08.b hipaa-1845.08b1Organizational.7-08.b 1845.08b1Organizational.7-08.b 18 Physical & Environmental Security 1845.08b1Organizational.7-08.b 08.01 Secure Areas Shared n/a For facilities where the information system resides, the organization enforces physical access authorizations at defined entry/exit points to the facility where the information system resides, maintains physical access audit logs, and provides security safeguards that the organization determines necessary for areas officially designated as publicly accessible. 4
hipaa 1847.08b2Organizational.910-08.b hipaa-1847.08b2Organizational.910-08.b 1847.08b2Organizational.910-08.b 18 Physical & Environmental Security 1847.08b2Organizational.910-08.b 08.01 Secure Areas Shared n/a The organization ensures onsite personnel and visitor identification (e.g., badges) are revoked, updated when access requirements change, or terminated when expired or when access is no longer authorized, and all physical access mechanisms, such as keys, access cards and combinations, are returned, disabled or changed. 2
hipaa 1892.01l1Organizational.1 hipaa-1892.01l1Organizational.1 1892.01l1Organizational.1 18 Physical & Environmental Security 1892.01l1Organizational.1 01.04 Network Access Control Shared n/a Access to network equipment is physically protected. 2
ISO27001-2013 A.11.1.1 ISO27001-2013_A.11.1.1 ISO 27001:2013 A.11.1.1 Physical And Environmental Security Physical security perimeter Shared n/a Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. link 8
ISO27001-2013 A.11.1.2 ISO27001-2013_A.11.1.2 ISO 27001:2013 A.11.1.2 Physical And Environmental Security Physical entry controls Shared n/a Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. link 9
ISO27001-2013 A.11.1.3 ISO27001-2013_A.11.1.3 ISO 27001:2013 A.11.1.3 Physical And Environmental Security Securing offices, rooms and facilities Shared n/a Physical security for offices, rooms and facilities shall be designed and applied. link 5
ISO27001-2013 A.8.1.2 ISO27001-2013_A.8.1.2 ISO 27001:2013 A.8.1.2 Asset Management Ownership of assets Shared n/a Assets maintained in the inventory shall be owned. link 7
mp.eq.1 Clear desk mp.eq.1 Clear desk 404 not found n/a n/a 19
mp.if.1 Separate areas with access control mp.if.1 Separate areas with access control 404 not found n/a n/a 23
mp.if.2 Identification of persons mp.if.2 Identification of persons 404 not found n/a n/a 13
mp.if.3 Fitting-out of premises mp.if.3 Fitting-out of premises 404 not found n/a n/a 18
mp.if.5 Fire protection mp.if.5 Fire protection 404 not found n/a n/a 16
mp.if.6 Flood protection mp.if.6 Flood protection 404 not found n/a n/a 16
mp.if.7 Recording of entries and exits of equipment mp.if.7 Recording of entries and exits of equipment 404 not found n/a n/a 12
mp.si.4 Transport mp.si.4 Transport 404 not found n/a n/a 24
NIST_SP_800-171_R2_3 .10.5 NIST_SP_800-171_R2_3.10.5 NIST SP 800-171 R2 3.10.5 Physical Protection Control and manage physical access devices. Shared Microsoft is responsible for implementing this requirement. Physical access devices include keys, locks, combinations, and card readers. link 4
NIST_SP_800-171_R2_3 .4.1 NIST_SP_800-171_R2_3.4.1 NIST SP 800-171 R2 3.4.1 Configuration Management Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Shared Microsoft and the customer share responsibilities for implementing this requirement. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management. link 31
NIST_SP_800-53_R4 CM-8(4) NIST_SP_800-53_R4_CM-8(4) NIST SP 800-53 Rev. 4 CM-8 (4) Configuration Management Accountability Information Shared n/a The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. Supplemental Guidance: Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated). link 2
NIST_SP_800-53_R4 PE-3 NIST_SP_800-53_R4_PE-3 NIST SP 800-53 Rev. 4 PE-3 Physical And Environmental Protection Physical Access Control Shared n/a The organization: a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys, combinations, and other physical access devices; f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. Supplemental Guidance: Related controls: CA-2, CA-7. link 4
NIST_SP_800-53_R5 CM-8(4) NIST_SP_800-53_R5_CM-8(4) NIST SP 800-53 Rev. 5 CM-8 (4) Configuration Management Accountability Information Shared n/a Include in the system component inventory information, a means for identifying by [Selection (OneOrMore): name;position;role] , individuals responsible and accountable for administering those components. link 2
NIST_SP_800-53_R5 PE-3 NIST_SP_800-53_R5_PE-3 NIST SP 800-53 Rev. 5 PE-3 Physical and Environmental Protection Physical Access Control Shared n/a a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by: 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress and egress to the facility using [Selection (OneOrMore): [Assignment: organization-defined physical access control systems or devices] ;guards] ; b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points]; c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls]; d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity]; e. Secure keys, combinations, and other physical access devices; f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated. link 4
op.exp.1 Asset inventory op.exp.1 Asset inventory 404 not found n/a n/a 40
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
SWIFT_CSCF_v2022 3.1 SWIFT_CSCF_v2022_3.1 SWIFT CSCF v2022 3.1 3. Physically Secure the Environment Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. Shared n/a Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage. link 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 27965e62-141f-8cca-426f-d09514ee5216
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC