last sync: 2024-Apr-19 17:43:58 UTC

Ensure external providers consistently meet interests of the customers | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Ensure external providers consistently meet interests of the customers
Id 3eabed6d-1912-2d3c-858b-f438d08d0412
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1592 - Ensure external providers consistently meet interests of the customers
Additional metadata Name/Id: CMA_C1592 / CMA_C1592
Category: Documentation
Title: Ensure external providers consistently meet interests of the customers
Ownership: Customer
Description: The customer is responsible for employing safeguards to ensure that the interests of external service providers are consistent with and reflect those of the customer.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 12 compliance controls are associated with this Policy definition 'Ensure external providers consistently meet interests of the customers' (3eabed6d-1912-2d3c-858b-f438d08d0412)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-9(4) FedRAMP_High_R4_SA-9(4) FedRAMP High SA-9 (4) System And Services Acquisition Consistent Interests Of Consumers And Providers Shared n/a The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests. Supplemental Guidance: As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities. link 1
FedRAMP_Moderate_R4 SA-9(4) FedRAMP_Moderate_R4_SA-9(4) FedRAMP Moderate SA-9 (4) System And Services Acquisition Consistent Interests Of Consumers And Providers Shared n/a The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests. Supplemental Guidance: As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities. link 1
hipaa 0837.09.n2Organizational.2-09.n hipaa-0837.09.n2Organizational.2-09.n 0837.09.n2Organizational.2-09.n 08 Network Protection 0837.09.n2Organizational.2-09.n 09.06 Network Security Management Shared n/a Formal agreements with external information system providers include specific obligations for security and privacy. 20
hipaa 0888.09n2Organizational.6-09.n hipaa-0888.09n2Organizational.6-09.n 0888.09n2Organizational.6-09.n 08 Network Protection 0888.09n2Organizational.6-09.n 09.06 Network Security Management Shared n/a The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. 17
hipaa 1422.05j2Organizational.3-05.j hipaa-1422.05j2Organizational.3-05.j 1422.05j2Organizational.3-05.j 14 Third Party Assurance 1422.05j2Organizational.3-05.j 05.02 External Parties Shared n/a All security requirements resulting from work with external parties or internal controls are reflected by the agreement with the external party. 6
hipaa 1423.05j2Organizational.4-05.j hipaa-1423.05j2Organizational.4-05.j 1423.05j2Organizational.4-05.j 14 Third Party Assurance 1423.05j2Organizational.4-05.j 05.02 External Parties Shared n/a For all system connections that allow customers to access the organization's computing assets such as websites, kiosks, and public access terminals, the organization provides appropriate text or a link to the organization's privacy policy for data use and protection as well as the customer's responsibilities when accessing the data. 9
hipaa 1438.09e2System.4-09.e hipaa-1438.09e2System.4-09.e 1438.09e2System.4-09.e 14 Third Party Assurance 1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery Shared n/a The service provider protects the company's data with reasonable controls (e.g., policies and procedures) designed to detect, prevent, and mitigate risk. 14
hipaa 1453.05kCSPOrganizational.2-05.k hipaa-1453.05kCSPOrganizational.2-05.k 1453.05kCSPOrganizational.2-05.k 14 Third Party Assurance 1453.05kCSPOrganizational.2-05.k 05.02 External Parties Shared n/a Supply chain agreements (e.g., SLAs) between cloud service providers and customers (tenants) incorporate at least the following mutually-agreed upon provisions and/or terms: (i) scope of business relationship and services offered, data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations; (ii) information security requirements, points of contact, and references to detailed supporting and relevant business processes and technical measures implemented; (iii) notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts; (iv) timely notification of a security incident to all customers (tenants) and other business relationships impacted; (v) assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed; (vi) expiration of the business relationship and treatment of customer (tenant) data impacted; and, (vii) customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence. 10
hipaa 1577.11aCSPOrganizational.1-11.a hipaa-1577.11aCSPOrganizational.1-11.a 1577.11aCSPOrganizational.1-11.a 15 Incident Management 1577.11aCSPOrganizational.1-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a Cloud service providers make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals). 2
NIST_SP_800-53_R4 SA-9(4) NIST_SP_800-53_R4_SA-9(4) NIST SP 800-53 Rev. 4 SA-9 (4) System And Services Acquisition Consistent Interests Of Consumers And Providers Shared n/a The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests. Supplemental Guidance: As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities. link 1
NIST_SP_800-53_R5 SA-9(4) NIST_SP_800-53_R5_SA-9(4) NIST SP 800-53 Rev. 5 SA-9 (4) System and Services Acquisition Consistent Interests of Consumers and Providers Shared n/a Take the following actions to verify that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests: [Assignment: organization-defined actions]. link 1
SWIFT_CSCF_v2022 1.1 SWIFT_CSCF_v2022_1.1 SWIFT CSCF v2022 1.1 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. Shared n/a A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. link 22
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 3eabed6d-1912-2d3c-858b-f438d08d0412
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC