last sync: 2024-Apr-24 17:46:58 UTC

Identify external service providers | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Identify external service providers
Id 46ab2c5e-6654-1f58-8c83-e97a44f39308
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1591 - Identify external service providers
Additional metadata Name/Id: CMA_C1591 / CMA_C1591
Category: Documentation
Title: Identify external service providers
Ownership: Customer
Description: The customer is responsible for requiring external service providers to identify the functions, ports, protocols, and other services required for the use of that service.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 15 compliance controls are associated with this Policy definition 'Identify external service providers' (46ab2c5e-6654-1f58-8c83-e97a44f39308)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-9(2) FedRAMP_High_R4_SA-9(2) FedRAMP High SA-9 (2) System And Services Acquisition Identification Of Functions / Ports / Protocols / Services Shared n/a The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. Supplemental Guidance: Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions/services or blocking certain ports/protocols. Related control: CM-7. link 1
FedRAMP_Moderate_R4 SA-9(2) FedRAMP_Moderate_R4_SA-9(2) FedRAMP Moderate SA-9 (2) System And Services Acquisition Identification Of Functions / Ports / Protocols / Services Shared n/a The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. Supplemental Guidance: Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions/services or blocking certain ports/protocols. Related control: CM-7. link 1
hipaa 0837.09.n2Organizational.2-09.n hipaa-0837.09.n2Organizational.2-09.n 0837.09.n2Organizational.2-09.n 08 Network Protection 0837.09.n2Organizational.2-09.n 09.06 Network Security Management Shared n/a Formal agreements with external information system providers include specific obligations for security and privacy. 20
hipaa 0870.09m3Organizational.20-09.m hipaa-0870.09m3Organizational.20-09.m 0870.09m3Organizational.20-09.m 08 Network Protection 0870.09m3Organizational.20-09.m 09.06 Network Security Management Shared n/a Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. 8
hipaa 0949.09y2Organizational.5-09.y hipaa-0949.09y2Organizational.5-09.y 0949.09y2Organizational.5-09.y 09 Transmission Protection 0949.09y2Organizational.5-09.y 09.09 Electronic Commerce Services Shared n/a The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. 6
hipaa 0960.09sCSPOrganizational.1-09.s hipaa-0960.09sCSPOrganizational.1-09.s 0960.09sCSPOrganizational.1-09.s 09 Transmission Protection 0960.09sCSPOrganizational.1-09.s 09.08 Exchange of Information Shared n/a Cloud service providers use secure (e.g., non-clear text and authenticated) standardized network protocols for the import and export of data and to manage the service, and make available a document to consumers (tenants) detailing the relevant interoperability and portability standards that are involved. 2
hipaa 1422.05j2Organizational.3-05.j hipaa-1422.05j2Organizational.3-05.j 1422.05j2Organizational.3-05.j 14 Third Party Assurance 1422.05j2Organizational.3-05.j 05.02 External Parties Shared n/a All security requirements resulting from work with external parties or internal controls are reflected by the agreement with the external party. 6
hipaa 1454.05kCSPOrganizational.3-05.k hipaa-1454.05kCSPOrganizational.3-05.k 1454.05kCSPOrganizational.3-05.k 14 Third Party Assurance 1454.05kCSPOrganizational.3-05.k 05.02 External Parties Shared n/a Service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream) are reviewed consistently and no less than annually to identify any non-conformance to established agreements. The reviews result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships. 8
hipaa 1786.10a1Organizational.9-10.a hipaa-1786.10a1Organizational.9-10.a 1786.10a1Organizational.9-10.a 17 Risk Management 1786.10a1Organizational.9-10.a 10.01 Security Requirements of Information Systems Shared n/a The organization requires developers of information systems, components, and developers or providers of services to identify (document) early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. 4
ISO27001-2013 A.13.2.2 ISO27001-2013_A.13.2.2 ISO 27001:2013 A.13.2.2 Communications Security Agreements on information transfer Shared n/a Agreements shall address the secure transfer of business information between the organization and external parties. link 11
ISO27001-2013 A.14.1.1 ISO27001-2013_A.14.1.1 ISO 27001:2013 A.14.1.1 System Acquisition, Development And Maintenance Information security requirements analysis and specification Shared n/a The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. link 24
ISO27001-2013 A.15.1.2 ISO27001-2013_A.15.1.2 ISO 27001:2013 A.15.1.2 Supplier Relationships Addressing security within supplier agreement Shared n/a All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. link 24
NIST_SP_800-53_R4 SA-9(2) NIST_SP_800-53_R4_SA-9(2) NIST SP 800-53 Rev. 4 SA-9 (2) System And Services Acquisition Identification Of Functions / Ports / Protocols / Services Shared n/a The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. Supplemental Guidance: Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions/services or blocking certain ports/protocols. Related control: CM-7. link 1
NIST_SP_800-53_R5 SA-9(2) NIST_SP_800-53_R5_SA-9(2) NIST SP 800-53 Rev. 5 SA-9 (2) System and Services Acquisition Identification of Functions, Ports, Protocols, and Services Shared n/a Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services]. link 1
PCI_DSS_v4.0 1.2.5 PCI_DSS_v4.0_1.2.5 PCI DSS v4.0 1.2.5 Requirement 01: Install and Maintain Network Security Controls Network security controls (NSCs) are configured and maintained Shared n/a All services, protocols, and ports allowed are identified, approved, and have a defined business need. link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 46ab2c5e-6654-1f58-8c83-e97a44f39308
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC