last sync: 2024-Mar-01 17:50:27 UTC

Not allow for information systems to accompany with individuals | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Not allow for information systems to accompany with individuals
Id 41172402-8d73-64c7-0921-909083c086b0
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1182 - Not allow for information systems to accompany with individuals
Additional metadata Name/Id: CMA_C1182 / CMA_C1182
Category: Operational
Title: Not allow for information systems to accompany with individuals
Ownership: Customer
Description: The customer is responsible for not allowing for information systems, system components, or devices to accompany with individuals traveling to locations that the organization deems to be of significant risk with devices. This control is not applicable in the information system.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 11 compliance controls are associated with this Policy definition 'Not allow for information systems to accompany with individuals' (41172402-8d73-64c7-0921-909083c086b0)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CM-2(7) FedRAMP_High_R4_CM-2(7) FedRAMP High CM-2 (7) Configuration Management Configure Systems, Components, Or Devices For High-Risk Areas Shared n/a The organization: (a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and (b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. Supplemental Guidance: When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family..\ link 2
FedRAMP_Moderate_R4 CM-2(7) FedRAMP_Moderate_R4_CM-2(7) FedRAMP Moderate CM-2 (7) Configuration Management Configure Systems, Components, Or Devices For High-Risk Areas Shared n/a The organization: (a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and (b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. Supplemental Guidance: When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family..\ link 2
hipaa 0403.01x1System.8-01.x hipaa-0403.01x1System.8-01.x 0403.01x1System.8-01.x 04 Mobile Device Security 0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking Shared n/a The organization monitors for unauthorized connections of mobile devices. 7
hipaa 0426.01x2System.1-01.x hipaa-0426.01x2System.1-01.x 0426.01x2System.1-01.x 04 Mobile Device Security 0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking Shared n/a A centralized, mobile device management solution has been deployed to all mobile devices permitted to store, transmit, or process organizational and/or customer data, enforcing built-in detective and preventative controls. 7
hipaa 0427.01x2System.2-01.x hipaa-0427.01x2System.2-01.x 0427.01x2System.2-01.x 04 Mobile Device Security 0427.01x2System.2-01.x 01.07 Mobile Computing and Teleworking Shared n/a The organization ensures that mobile devices connecting to corporate networks, or storing and accessing company information, allow for remote software version/patch validation. 4
hipaa 0428.01x2System.3-01.x hipaa-0428.01x2System.3-01.x 0428.01x2System.3-01.x 04 Mobile Device Security 0428.01x2System.3-01.x 01.07 Mobile Computing and Teleworking Shared n/a The organization ensures that mobile devices connecting to corporate networks, or storing and accessing company information, allow for remote wipe. 4
hipaa 0429.01x1System.14-01.x hipaa-0429.01x1System.14-01.x 0429.01x1System.14-01.x 04 Mobile Device Security 0429.01x1System.14-01.x 01.07 Mobile Computing and Teleworking Shared n/a The organization prohibits the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting). 7
hipaa 0627.10h1System.45-10.h hipaa-0627.10h1System.45-10.h 0627.10h1System.45-10.h 06 Configuration Management 0627.10h1System.45-10.h 10.04 Security of System Files Shared n/a The organization maintains information systems according to a current baseline configuration and configures system security parameters to prevent misuse. Vendor supplied software used in operational systems is maintained at a level supported by the supplier and uses the latest version of web browsers on operational systems to take advantage of the latest security functions in the application. 11
ISO27001-2013 A.11.2.6 ISO27001-2013_A.11.2.6 ISO 27001:2013 A.11.2.6 Physical And Environmental Security Security of equipment and assets off-premises Shared n/a Security shall be applied to off-site assets taking into account the different risks of working outside the organization's premises. link 10
NIST_SP_800-53_R4 CM-2(7) NIST_SP_800-53_R4_CM-2(7) NIST SP 800-53 Rev. 4 CM-2 (7) Configuration Management Configure Systems, Components, Or Devices For High-Risk Areas Shared n/a The organization: (a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and (b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. Supplemental Guidance: When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family..\ link 2
NIST_SP_800-53_R5 CM-2(7) NIST_SP_800-53_R5_CM-2(7) NIST SP 800-53 Rev. 5 CM-2 (7) Configuration Management Configure Systems and Components for High-risk Areas Shared n/a (a) Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and (b) Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls]. link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 41172402-8d73-64c7-0921-909083c086b0
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC