last sync: 2024-May-24 18:03:04 UTC

Provide security training before providing access | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Provide security training before providing access
Id 2b05dca2-25ec-9335-495c-29155f785082
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0418 - Provide security training before providing access
Additional metadata Name/Id: CMA_0418 / CMA_0418
Category: Operational
Title: Provide security training before providing access
Ownership: Customer
Description: Microsoft recommends that your organization provide role-based security training to personnel with security roles and responsibilities before authorizing their access to Azure and before they begin performing their assigned duties. Your organization should consider creating and maintaining Security Awareness Training policies and standard operating procedures that ensure all personnel with assigned security roles and responsibilities receive role-based security training before they can access Azure and perform their assigned duties. It is recommended that employees are versed in the rules of the information systems and technologies they will use and in accordance with applicable laws and regulations. Your organization may consider providing resources and assistance to further enhance the employees' training.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 31 compliance controls are associated with this Policy definition 'Provide security training before providing access' (2b05dca2-25ec-9335-495c-29155f785082)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AT-3 FedRAMP_High_R4_AT-3 FedRAMP High AT-3 Awareness And Training Role-Based Security Training Shared n/a The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter. Supplemental Guidance: Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); NIST Special Publications 800-16, 800-50. link 3
FedRAMP_Moderate_R4 AT-3 FedRAMP_Moderate_R4_AT-3 FedRAMP Moderate AT-3 Awareness And Training Role-Based Security Training Shared n/a The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter. Supplemental Guidance: Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); NIST Special Publications 800-16, 800-50. link 3
hipaa 0104.02a1Organizational.12-02.a hipaa-0104.02a1Organizational.12-02.a 0104.02a1Organizational.12-02.a 01 Information Protection Program 0104.02a1Organizational.12-02.a 02.01 Prior to Employment Shared n/a User security roles and responsibilities are clearly defined and communicated. 14
hipaa 0108.02d1Organizational.23-02.d hipaa-0108.02d1Organizational.23-02.d 0108.02d1Organizational.23-02.d 01 Information Protection Program 0108.02d1Organizational.23-02.d 02.03 During Employment Shared n/a The organization ensures plans for security testing, training, and monitoring activities are developed, implemented, maintained, and reviewed for consistency with the risk management strategy and response priorities. 8
hipaa 0109.02d1Organizational.4-02.d hipaa-0109.02d1Organizational.4-02.d 0109.02d1Organizational.4-02.d 01 Information Protection Program 0109.02d1Organizational.4-02.d 02.03 During Employment Shared n/a Management ensures users are (i) briefed on their security role(s)/responsibilities, conform with the terms and conditions of employment prior to obtaining access to the organization’s information systems; (ii) provided with guidelines regarding the security expectations of their roles; (iii) motivated to comply with security policies; and, (iv) continue to have the appropriate skills and qualifications for their role(s). 20
hipaa 0122.05a2Organizational.3-05.a hipaa-0122.05a2Organizational.3-05.a 0122.05a2Organizational.3-05.a 01 Information Protection Program 0122.05a2Organizational.3-05.a 05.01 Internal Organization Shared n/a The individual responsible for information security in the organization is qualified for the role. 6
hipaa 1301.02e1Organizational.12-02.e hipaa-1301.02e1Organizational.12-02.e 1301.02e1Organizational.12-02.e 13 Education, Training and Awareness 1301.02e1Organizational.12-02.e 02.03 During Employment Shared n/a Employees and contractors receive documented initial (as part of their onboarding within 60 days of hire), annual, and ongoing training on their roles related to security and privacy. 17
hipaa 1304.02e3Organizational.1-02.e hipaa-1304.02e3Organizational.1-02.e 1304.02e3Organizational.1-02.e 13 Education, Training and Awareness 1304.02e3Organizational.1-02.e 02.03 During Employment Shared n/a Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities: (i) prior to being granted access to the organization’s systems and resources; (ii) when required by system changes; (iii) when entering into a new position that requires additional training; and, (iv) no less than annually thereafter. 9
hipaa 1309.01x1System.36-01.x hipaa-1309.01x1System.36-01.x 1309.01x1System.36-01.x 13 Education, Training and Awareness 1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking Shared n/a Personnel using mobile computing devices are trained on the risks, the controls implemented, and their responsibilities (e.g., shoulder surfing, physical protections). 6
hipaa 1310.01y1Organizational.9-01.y hipaa-1310.01y1Organizational.9-01.y 1310.01y1Organizational.9-01.y 13 Education, Training and Awareness 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking Shared n/a Personnel who telework are trained on the risks, the controls implemented, and their responsibilities. 10
hipaa 1315.02e2Organizational.67-02.e hipaa-1315.02e2Organizational.67-02.e 1315.02e2Organizational.67-02.e 13 Education, Training and Awareness 1315.02e2Organizational.67-02.e 02.03 During Employment Shared n/a The organization provides specialized security and privacy education and training appropriate to the employee's roles/responsibilities, including organizational business unit security POCs and system/software developers. 6
hipaa 1336.02e1Organizational.5-02.e hipaa-1336.02e1Organizational.5-02.e 1336.02e1Organizational.5-02.e 13 Education, Training and Awareness 1336.02e1Organizational.5-02.e 02.03 During Employment Shared n/a The organization’s security awareness and training program (i) identifies how workforce members are provided security awareness and training, and the workforce members who will receive security awareness and training; (ii) describes the types of security awareness and training that is reasonable and appropriate for its workforce members; (iii) how workforce members are provided security and awareness training when there is a change in the organization’s information systems; and, (iv) how frequently security awareness and training is provided to all workforce members. 7
ISO27001-2013 A.7.2.2 ISO27001-2013_A.7.2.2 ISO 27001:2013 A.7.2.2 Human Resources Security Information security awareness, education and training Shared n/a All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. link 15
mp.eq.3 Protection of portable devices mp.eq.3 Protection of portable devices 404 not found n/a n/a 71
mp.per.1 Job characterization mp.per.1 Job characterization 404 not found n/a n/a 41
mp.per.3 Awareness mp.per.3 Awareness 404 not found n/a n/a 15
mp.per.4 Training mp.per.4 Training 404 not found n/a n/a 14
mp.s.1 E-mail protection mp.s.1 E-mail protection 404 not found n/a n/a 48
mp.s.3 Protection of web browsing mp.s.3 Protection of web browsing 404 not found n/a n/a 52
mp.si.3 Custody mp.si.3 Custody 404 not found n/a n/a 27
NIST_SP_800-171_R2_3 .2.2 NIST_SP_800-171_R2_3.2.2 NIST SP 800-171 R2 3.2.2 Awareness and Training Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and other personnel having access to system-level software, security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. [SP 800-181] provides guidance on role-based information security training in the workplace. [SP 800-161] provides guidance on supply chain risk management. link 2
NIST_SP_800-53_R4 AT-3 NIST_SP_800-53_R4_AT-3 NIST SP 800-53 Rev. 4 AT-3 Awareness And Training Role-Based Security Training Shared n/a The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter. Supplemental Guidance: Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); NIST Special Publications 800-16, 800-50. link 3
NIST_SP_800-53_R5 AT-3 NIST_SP_800-53_R5_AT-3 NIST SP 800-53 Rev. 5 AT-3 Awareness and Training Role-based Training Shared n/a a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]: 1. Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and 2. When required by system changes; b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and c. Incorporate lessons learned from internal or external security incidents or breaches into role-based training. link 3
PCI_DSS_v4.0 12.6.3 PCI_DSS_v4.0_12.6.3 PCI DSS v4.0 12.6.3 Requirement 12: Support Information Security with Organizational Policies and Programs Security awareness education is an ongoing activity Shared n/a Personnel receive security awareness training as follows: • Upon hire and at least once every 12 months. • Multiple methods of communication are used. • Personnel acknowledge at least once every 12 months that they have read and understood the information security policy and procedures. link 8
PCI_DSS_v4.0 12.6.3.2 PCI_DSS_v4.0_12.6.3.2 PCI DSS v4.0 12.6.3.2 Requirement 12: Support Information Security with Organizational Policies and Programs Security awareness education is an ongoing activity Shared n/a Security awareness training includes awareness about the acceptable use of end-user technologies in accordance with Requirement 12.2.1. link 2
PCI_DSS_v4.0 6.2.2 PCI_DSS_v4.0_6.2.2 PCI DSS v4.0 6.2.2 Requirement 06: Develop and Maintain Secure Systems and Software Bespoke and custom software are developed securely Shared n/a Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows: • On software security relevant to their job function and development languages. • Including secure software design and secure coding techniques. • Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software. link 2
PCI_DSS_v4.0 9.5.1.3 PCI_DSS_v4.0_9.5.1.3 PCI DSS v4.0 9.5.1.3 Requirement 09: Restrict Physical Access to Cardholder Data Point of interaction (POI) devices are protected from tampering and unauthorized substitution Shared n/a Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes: • Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, before granting them access to modify or troubleshoot devices. • Procedures to ensure devices are not installed, replaced, or returned without verification. • Being aware of suspicious behavior around devices. • Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel. link 1
SOC_2 CC1.4 SOC_2_CC1.4 SOC 2 Type 2 CC1.4 Control Environment COSO Principle 4 Shared The customer is responsible for implementing this recommendation. Establishes Policies and Practices — Policies and practices reflect expectations of competence necessary to support the achievement of objectives. • Evaluates Competence and Addresses Shortcomings — The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings. • Attracts, Develops, and Retains Individuals — The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives. • Plans and Prepares for Succession — Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control. Additional point of focus specifically related to all engagements using the trust services criteria:Page 16 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS • Considers the Background of Individuals — The entity considers the background of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. • Considers the Technical Competency of Individuals — The entity considers the technical competency of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. • Provides Training to Maintain Technical Competencies — The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained 5
SOC_2 CC2.2 SOC_2_CC2.2 SOC 2 Type 2 CC2.2 Communication and Information COSO Principle 14 Shared The customer is responsible for implementing this recommendation. • Communicates Internal Control Information — A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities. • Communicates With the Board of Directors — Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives. • Provides Separate Communication Lines — Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. • Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of • Communicates Responsibilities — Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities. • Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters — Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel. • Communicates Objectives and Changes to Objectives — The entity communicates its objectives and changes to those objectives to personnel in a timely manner. • Communicates Information to Improve Security Knowledge and Awareness — The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program 9
SWIFT_CSCF_v2022 12.1 SWIFT_CSCF_v2022_12.1 SWIFT CSCF v2022 12.1 12. Ensure Knowledge is Available Ensure quality of service to customers through SWIFT certified employees. Shared n/a Ensure quality of service to customers through SWIFT certified employees. link 3
SWIFT_CSCF_v2022 7.2 SWIFT_CSCF_v2022_7.2 SWIFT CSCF v2022 7.2 7. Plan for Incident Response and Information Sharing Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. Shared n/a Annual security awareness sessions are conducted for all staff members with access to SWIFT-related systems. All staff with privileged access maintain knowledge through specific training or learning activities when relevant or appropriate (at management’s discretion). link 11
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 2b05dca2-25ec-9335-495c-29155f785082
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC