last sync: 2024-May-24 18:03:04 UTC

Retain training records | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Retain training records
Id 3153d9c0-2584-14d3-362d-578b01358aeb
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0456 - Retain training records
Additional metadata Name/Id: CMA_0456 / CMA_0456
Category: Operational
Title: Retain training records
Ownership: Customer
Description: Microsoft recommends that your organization retain individual training records for a prescribed time period. Training records may include attendance record, training package content, name of the instructor, dates of training, and results of any examinations or assessments. Consider creating and maintaining Security Awareness and Training policies and standard operating procedures to ensure that your organization retain individual training records for an organization-defined time period. If your organization has not defined a time period or there is no regulation defined time period, Microsoft recommends that these records are retained for at least one year. Microsoft also recommended that your organization define training supporting documentation retention policies in your automatic retention enforcement solutions, if possible. **How to Use Microsoft Solutions to Implement** Your organization can manage data retention configurations through Azure TIme Series Insights, for more information on data retention and managing your Azure environment, go to: https://docs.microsoft.com/azure/time-series-insights/time-series-insights-concepts-retention. **Learn More** Configuring Data Retention in Azure: https://docs.microsoft.com/azure/time-series-insights/time-series-insights-how-to-configure-retention
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 16 compliance controls are associated with this Policy definition 'Retain training records' (3153d9c0-2584-14d3-362d-578b01358aeb)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AT-4 FedRAMP_High_R4_AT-4 FedRAMP High AT-4 Awareness And Training Security Training Records Shared n/a The organization: a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and b. Retains individual training records for [Assignment: organization-defined time period]. Supplemental Guidance: Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14. Control Enhancements: None. References: None. link 3
FedRAMP_Moderate_R4 AT-4 FedRAMP_Moderate_R4_AT-4 FedRAMP Moderate AT-4 Awareness And Training Security Training Records Shared n/a The organization: a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and b. Retains individual training records for [Assignment: organization-defined time period]. Supplemental Guidance: Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14. Control Enhancements: None. References: None. link 3
hipaa 0108.02d1Organizational.23-02.d hipaa-0108.02d1Organizational.23-02.d 0108.02d1Organizational.23-02.d 01 Information Protection Program 0108.02d1Organizational.23-02.d 02.03 During Employment Shared n/a The organization ensures plans for security testing, training, and monitoring activities are developed, implemented, maintained, and reviewed for consistency with the risk management strategy and response priorities. 8
hipaa 1302.02e2Organizational.134-02.e hipaa-1302.02e2Organizational.134-02.e 1302.02e2Organizational.134-02.e 13 Education, Training and Awareness 1302.02e2Organizational.134-02.e 02.03 During Employment Shared n/a Dedicated security and privacy awareness training is developed as part of the organization's onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat. 19
hipaa 1305.02e3Organizational.23-02.e hipaa-1305.02e3Organizational.23-02.e 1305.02e3Organizational.23-02.e 13 Education, Training and Awareness 1305.02e3Organizational.23-02.e 02.03 During Employment Shared n/a The organization maintains a documented list of each individual who completes the on-boarding process and maintains all training records for at least five years. 3
ISO27001-2013 A.7.2.2 ISO27001-2013_A.7.2.2 ISO 27001:2013 A.7.2.2 Human Resources Security Information security awareness, education and training Shared n/a All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. link 15
ISO27001-2013 C.7.2.d ISO27001-2013_C.7.2.d ISO 27001:2013 C.7.2.d Support Competence Shared n/a The organization shall: d) retain appropriate documented information as evidence of competence. NOTE Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons. link 1
mp.eq.3 Protection of portable devices mp.eq.3 Protection of portable devices 404 not found n/a n/a 71
mp.per.1 Job characterization mp.per.1 Job characterization 404 not found n/a n/a 41
mp.per.3 Awareness mp.per.3 Awareness 404 not found n/a n/a 15
mp.per.4 Training mp.per.4 Training 404 not found n/a n/a 14
mp.s.1 E-mail protection mp.s.1 E-mail protection 404 not found n/a n/a 48
mp.s.3 Protection of web browsing mp.s.3 Protection of web browsing 404 not found n/a n/a 52
mp.si.3 Custody mp.si.3 Custody 404 not found n/a n/a 27
NIST_SP_800-53_R4 AT-4 NIST_SP_800-53_R4_AT-4 NIST SP 800-53 Rev. 4 AT-4 Awareness And Training Security Training Records Shared n/a The organization: a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and b. Retains individual training records for [Assignment: organization-defined time period]. Supplemental Guidance: Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14. Control Enhancements: None. References: None. link 3
NIST_SP_800-53_R5 AT-4 NIST_SP_800-53_R5_AT-4 NIST SP 800-53 Rev. 5 AT-4 Awareness and Training Training Records Shared n/a a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and b. Retain individual training records for [Assignment: organization-defined time period]. link 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 3153d9c0-2584-14d3-362d-578b01358aeb
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC