last sync: 2024-Mar-01 17:50:27 UTC

Limit privileges to make changes in production environment | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Limit privileges to make changes in production environment
Id 2af551d5-1775-326a-0589-590bfb7e9eb2
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1206 - Limit privileges to make changes in production environment
Additional metadata Name/Id: CMA_C1206 / CMA_C1206
Category: Operational
Title: Limit privileges to make changes in production environment
Ownership: Customer
Description: The customer is responsible for limiting privileges to make changes within customer-deployed production or operational environments.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 14 compliance controls are associated with this Policy definition 'Limit privileges to make changes in production environment' (2af551d5-1775-326a-0589-590bfb7e9eb2)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CM-5(5) FedRAMP_High_R4_CM-5(5) FedRAMP High CM-5 (5) Configuration Management Limit Production / Operational Privileges Shared n/a The organization: (a) Limits privileges to change information system components and system-related information within a production or operational environment; and (b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. Supplemental Guidance: In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. link 2
FedRAMP_Moderate_R4 CM-5(5) FedRAMP_Moderate_R4_CM-5(5) FedRAMP Moderate CM-5 (5) Configuration Management Limit Production / Operational Privileges Shared n/a The organization: (a) Limits privileges to change information system components and system-related information within a production or operational environment; and (b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. Supplemental Guidance: In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. link 2
hipaa 0214.09j1Organizational.6-09.j hipaa-0214.09j1Organizational.6-09.j 0214.09j1Organizational.6-09.j 02 Endpoint Protection 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code Shared n/a Protection against malicious code is based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls. 13
hipaa 0605.10h1System.12-10.h hipaa-0605.10h1System.12-10.h 0605.10h1System.12-10.h 06 Configuration Management 0605.10h1System.12-10.h 10.04 Security of System Files Shared n/a Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. 6
hipaa 1134.01v3System.1-01.v hipaa-1134.01v3System.1-01.v 1134.01v3System.1-01.v 11 Access Control 1134.01v3System.1-01.v 01.06 Application and Information Access Control Shared n/a Copy, move, print, and storage of sensitive data are prohibited when accessed remotely without a defined business need. 3
ISO27001-2013 A.9.2.2 ISO27001-2013_A.9.2.2 ISO 27001:2013 A.9.2.2 Access Control User access provisioning Shared n/a A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. link 19
ISO27001-2013 A.9.2.3 ISO27001-2013_A.9.2.3 ISO 27001:2013 A.9.2.3 Access Control Management of privileged access rights Shared n/a The allocation and use of privileged access rights shall be restricted and controlled. link 33
ISO27001-2013 A.9.4.1 ISO27001-2013_A.9.4.1 ISO 27001:2013 A.9.4.1 Access Control Information access restriction Shared n/a Access to information and application system functions shall be restricted in accordance with the access control policy. link 11
ISO27001-2013 A.9.4.5 ISO27001-2013_A.9.4.5 ISO 27001:2013 A.9.4.5 Access Control Access control to program source code Shared n/a Access to program source code shall be restricted. link 10
NIST_SP_800-171_R2_3 .4.5 NIST_SP_800-171_R2_3.4.5 NIST SP 800-171 R2 3.4.5 Configuration Management Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. Access restrictions include physical and logical access control requirements, workflow automation, media libraries, abstract layers (e.g., changes implemented into external interfaces rather than directly into systems), and change windows (e.g., changes occur only during certain specified times). In addition to security concerns, commonly-accepted due diligence for configuration management includes access restrictions as an essential part in ensuring the ability to effectively manage the configuration. [SP 800-128] provides guidance on configuration change control. link 6
NIST_SP_800-53_R4 CM-5(5) NIST_SP_800-53_R4_CM-5(5) NIST SP 800-53 Rev. 4 CM-5 (5) Configuration Management Limit Production / Operational Privileges Shared n/a The organization: (a) Limits privileges to change information system components and system-related information within a production or operational environment; and (b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. Supplemental Guidance: In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. link 2
NIST_SP_800-53_R5 CM-5(5) NIST_SP_800-53_R5_CM-5(5) NIST SP 800-53 Rev. 5 CM-5 (5) Configuration Management Privilege Limitation for Production and Operation Shared n/a (a) Limit privileges to change system components and system-related information within a production or operational environment; and (b) Review and reevaluate privileges [Assignment: organization-defined frequency]. link 2
PCI_DSS_v4.0 6.5.3 PCI_DSS_v4.0_6.5.3 PCI DSS v4.0 6.5.3 Requirement 06: Develop and Maintain Secure Systems and Software Changes to all system components are managed securely Shared n/a Pre-production environments are separated from production environments and the separation is enforced with access controls. link 6
PCI_DSS_v4.0 6.5.4 PCI_DSS_v4.0_6.5.4 PCI DSS v4.0 6.5.4 Requirement 06: Develop and Maintain Secure Systems and Software Changes to all system components are managed securely Shared n/a Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed. link 6
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 2af551d5-1775-326a-0589-590bfb7e9eb2
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC