| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1565 - System Development Life Cycle | ||
| Id | 45ce2396-5c76-4654-9737-f8792ab3d26b | ||
| Version | 1.0.0 Details on versioning |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this System and Services Acquisition control | ||
| Additional metadata |
Name/Id: ACF1565 / Microsoft Managed Control 1565 Category: System and Services Acquisition Title: System Development Life Cycle - Define/Document Information Security Roles And Responsibilities Ownership: Customer, Microsoft Description: The organization: Defines and documents information security roles and responsibilities throughout the system development life cycle; Requirements: The SDL includes general criteria and job descriptions for security and privacy roles. These roles are filled during the Requirements Phase of the SDL process. These roles are consultative in nature, and provide the organizational structure necessary to identify, catalog, and mitigate security and privacy issues present in a software development project. As part of the SDL, Azure has defined a dedicated security team responsible for conducting reviews, setting standards, and monitoring compliance with regulatory requirements, standards, and policies. Specific roles and responsibilities for the team include: * C+AI Security Assurance: This role is filled by security subject-matter experts (SMEs) from outside the project team. The Security Assurance team manages the SDL program and process within C+AI and conducts threat modeling sessions for project teams. * Compliance and Privacy Advisor: The advisor (or group of individuals) from the compliance team is responsible for attesting to compliance (or non-compliance) with security and privacy requirements without interference from the project team. * Team Champions: The team champion roles are filled by SMEs from the project team. These roles are responsible for the negotiation, acceptance, and tracking of minimum security and privacy requirements and maintaining clear lines of communication with advisors and decision makers during a software development project. * A training and awareness team responsible for educating project teams about security standards, policies, and best practices. * Help desk personnel to answer common questions and, as needed, escalate to the security and privacy SMEs. * Personnel responsible for authoring checklists, standards, and even corporate policy to meet security and privacy requirements. * Account management SME that acts as a liaison with application teams, manages the application portfolio, and ensures that the process for SDL compliance runs smoothly. * Remediation and risk management personnel, who both prioritize applications for assessment and manage the remediation of high-risk vulnerabilities found during the assessment. * The Operations team which conducts network and host scanning post-assessment across the enterprise and production servers. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|