last sync: 2024-Apr-24 17:46:58 UTC

Microsoft Managed Control 1565 - System Development Life Cycle | Regulatory Compliance - System and Services Acquisition

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1565 - System Development Life Cycle
Id 45ce2396-5c76-4654-9737-f8792ab3d26b
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Services Acquisition control
Additional metadata Name/Id: ACF1565 / Microsoft Managed Control 1565
Category: System and Services Acquisition
Title: System Development Life Cycle - Define/Document Information Security Roles And Responsibilities
Ownership: Customer, Microsoft
Description: The organization: Defines and documents information security roles and responsibilities throughout the system development life cycle;
Requirements: The SDL includes general criteria and job descriptions for security and privacy roles. These roles are filled during the Requirements Phase of the SDL process. These roles are consultative in nature, and provide the organizational structure necessary to identify, catalog, and mitigate security and privacy issues present in a software development project. As part of the SDL, Azure has defined a dedicated security team responsible for conducting reviews, setting standards, and monitoring compliance with regulatory requirements, standards, and policies. Specific roles and responsibilities for the team include: * C+AI Security Assurance: This role is filled by security subject-matter experts (SMEs) from outside the project team. The Security Assurance team manages the SDL program and process within C+AI and conducts threat modeling sessions for project teams. * Compliance and Privacy Advisor: The advisor (or group of individuals) from the compliance team is responsible for attesting to compliance (or non-compliance) with security and privacy requirements without interference from the project team. * Team Champions: The team champion roles are filled by SMEs from the project team. These roles are responsible for the negotiation, acceptance, and tracking of minimum security and privacy requirements and maintaining clear lines of communication with advisors and decision makers during a software development project. * A training and awareness team responsible for educating project teams about security standards, policies, and best practices. * Help desk personnel to answer common questions and, as needed, escalate to the security and privacy SMEs. * Personnel responsible for authoring checklists, standards, and even corporate policy to meet security and privacy requirements. * Account management SME that acts as a liaison with application teams, manages the application portfolio, and ensures that the process for SDL compliance runs smoothly. * Remediation and risk management personnel, who both prioritize applications for assessment and manage the remediation of high-risk vulnerabilities found during the assessment. * The Operations team which conducts network and host scanning post-assessment across the enterprise and production servers.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC