last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Manage the transportation of assets

Name Manage the transportation of assets
Azure Portal
Id 4ac81669-00e2-9790-8648-71bc11bc91eb
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0370 - Manage the transportation of assets
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 35 compliance controls are associated with this Policy definition 'Manage the transportation of assets' (4ac81669-00e2-9790-8648-71bc11bc91eb)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 MP-5 FedRAMP_High_R4_MP-5 FedRAMP High MP-5 Media Protection Media Transport Shared n/a The organization: a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; b. Maintains accountability for information system media during transport outside of controlled areas; c. Documents activities associated with the transport of information system media; and d. Restricts the activities associated with the transport of information system media to authorized personnel. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems. Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. References: FIPS Publication 199; NIST Special Publication 800-60. link 2
FedRAMP_High_R4 MP-5(4) FedRAMP_High_R4_MP-5(4) FedRAMP High MP-5 (4) Media Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. Supplemental Guidance: This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). Related control: MP-2. References: FIPS Publication 199; NIST Special Publication 800-60. link 2
FedRAMP_High_R4 PE-16 FedRAMP_High_R4_PE-16 FedRAMP High PE-16 Physical And Environmental Protection Delivery And Removal Shared n/a The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. Supplemental Guidance: Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. References: None. link 2
FedRAMP_Moderate_R4 MP-5 FedRAMP_Moderate_R4_MP-5 FedRAMP Moderate MP-5 Media Protection Media Transport Shared n/a The organization: a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; b. Maintains accountability for information system media during transport outside of controlled areas; c. Documents activities associated with the transport of information system media; and d. Restricts the activities associated with the transport of information system media to authorized personnel. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems. Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. References: FIPS Publication 199; NIST Special Publication 800-60. link 2
FedRAMP_Moderate_R4 MP-5(4) FedRAMP_Moderate_R4_MP-5(4) FedRAMP Moderate MP-5 (4) Media Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. Supplemental Guidance: This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). Related control: MP-2. References: FIPS Publication 199; NIST Special Publication 800-60. link 2
FedRAMP_Moderate_R4 PE-16 FedRAMP_Moderate_R4_PE-16 FedRAMP Moderate PE-16 Physical And Environmental Protection Delivery And Removal Shared n/a The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. Supplemental Guidance: Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. References: None. link 2
hipaa 0301.09o1Organizational.123-09.o hipaa-0301.09o1Organizational.123-09.o 0301.09o1Organizational.123-09.o 03 Portable Media Security 0301.09o1Organizational.123-09.o 09.07 Media Handling Shared n/a The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media are used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. 14
hipaa 0302.09o2Organizational.1-09.o hipaa-0302.09o2Organizational.1-09.o 0302.09o2Organizational.1-09.o 03 Portable Media Security 0302.09o2Organizational.1-09.o 09.07 Media Handling Shared n/a The organization protects and controls media containing sensitive information during transport outside of controlled areas. 7
hipaa 0303.09o2Organizational.2-09.o hipaa-0303.09o2Organizational.2-09.o 0303.09o2Organizational.2-09.o 03 Portable Media Security 0303.09o2Organizational.2-09.o 09.07 Media Handling Shared n/a Digital and non-digital media requiring restricted use, and the specific safeguards used to restrict their use are identified. 6
hipaa 0305.09q1Organizational.12-09.q hipaa-0305.09q1Organizational.12-09.q 0305.09q1Organizational.12-09.q 03 Portable Media Security 0305.09q1Organizational.12-09.q 09.07 Media Handling Shared n/a Media is labeled, encrypted, and handled according to its classification. 7
hipaa 0308.09q3Organizational.1-09.q hipaa-0308.09q3Organizational.1-09.q 0308.09q3Organizational.1-09.q 03 Portable Media Security 0308.09q3Organizational.1-09.q 09.07 Media Handling Shared n/a Inventory and disposition records of media are maintained. 3
hipaa 0314.09q3Organizational.2-09.q hipaa-0314.09q3Organizational.2-09.q 0314.09q3Organizational.2-09.q 03 Portable Media Security 0314.09q3Organizational.2-09.q 09.07 Media Handling Shared n/a The organization implements cryptographic mechanisms to protect the confidentiality and integrity of sensitive (non-public) information stored on digital media during transport outside of controlled areas. 9
hipaa 0403.01x1System.8-01.x hipaa-0403.01x1System.8-01.x 0403.01x1System.8-01.x 04 Mobile Device Security 0403.01x1System.8-01.x 01.07 Mobile Computing and Teleworking Shared n/a The organization monitors for unauthorized connections of mobile devices. 7
hipaa 0426.01x2System.1-01.x hipaa-0426.01x2System.1-01.x 0426.01x2System.1-01.x 04 Mobile Device Security 0426.01x2System.1-01.x 01.07 Mobile Computing and Teleworking Shared n/a A centralized, mobile device management solution has been deployed to all mobile devices permitted to store, transmit, or process organizational and/or customer data, enforcing built-in detective and preventative controls. 7
hipaa 0505.09m2Organizational.3-09.m hipaa-0505.09m2Organizational.3-09.m 0505.09m2Organizational.3-09.m 05 Wireless Security 0505.09m2Organizational.3-09.m 09.06 Network Security Management Shared n/a Quarterly scans are performed to identify unauthorized wireless access points, and appropriate action is taken if any unauthorized access points are discovered. 8
hipaa 08101.09m2Organizational.14-09.m hipaa-08101.09m2Organizational.14-09.m 08101.09m2Organizational.14-09.m 08 Network Protection 08101.09m2Organizational.14-09.m 09.06 Network Security Management Shared n/a The organization uses secured and encrypted communication channels when migrating physical servers, applications, or data to virtualized servers. 8
hipaa 0947.09y2Organizational.2-09.y hipaa-0947.09y2Organizational.2-09.y 0947.09y2Organizational.2-09.y 09 Transmission Protection 0947.09y2Organizational.2-09.y 09.09 Electronic Commerce Services Shared n/a The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. 11
hipaa 1816.08d2Organizational.4-08.d hipaa-1816.08d2Organizational.4-08.d 1816.08d2Organizational.4-08.d 18 Physical & Environmental Security 1816.08d2Organizational.4-08.d 08.01 Secure Areas Shared n/a Any security threats presented by neighboring premises are identified. 4
ISO27001-2013 A.11.1.6 ISO27001-2013_A.11.1.6 ISO 27001:2013 A.11.1.6 Physical And Environmental Security Delivering and loading areas Shared n/a Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. link 5
ISO27001-2013 A.11.2.5 ISO27001-2013_A.11.2.5 ISO 27001:2013 A.11.2.5 Physical And Environmental Security Removal of assets Shared n/a Equipment, information or software shall not be taken off-site without prior authorization. link 6
ISO27001-2013 A.11.2.6 ISO27001-2013_A.11.2.6 ISO 27001:2013 A.11.2.6 Physical And Environmental Security Security of equipment and assets off-premises Shared n/a Security shall be applied to off-site assets taking into account the different risks of working outside the organization's premises. link 10
ISO27001-2013 A.8.2.3 ISO27001-2013_A.8.2.3 ISO 27001:2013 A.8.2.3 Asset Management Handling of assets Shared n/a Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 26
ISO27001-2013 A.8.3.1 ISO27001-2013_A.8.3.1 ISO 27001:2013 A.8.3.1 Asset Management Management of removable media Shared n/a Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. link 6
ISO27001-2013 A.8.3.3 ISO27001-2013_A.8.3.3 ISO 27001:2013 A.8.3.3 Asset Management Physical media transfer Shared n/a Media containing information shall be protected against unauthorized access, misuse or corruption during transportation. link 2
NIST_SP_800-171_R2_3 .8.5 NIST_SP_800-171_R2_3.8.5 NIST SP 800-171 R2 3.8.5 Media Protection Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. Shared Microsoft is responsible for implementing this requirement. Controlled areas are areas or spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting systems and information. Controls to maintain accountability for media during transport include locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. link 2
NIST_SP_800-171_R2_3 .8.6 NIST_SP_800-171_R2_3.8.6 NIST SP 800-171 R2 3.8.6 Media Protection Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. Shared Microsoft is responsible for implementing this requirement. This requirement applies to portable storage devices (e.g., USB memory sticks, digital video disks, compact disks, external or removable hard disk drives). See [NIST CRYPTO]. [SP 800-111] provides guidance on storage encryption technologies for end user devices. link 2
NIST_SP_800-53_R4 MP-5 NIST_SP_800-53_R4_MP-5 NIST SP 800-53 Rev. 4 MP-5 Media Protection Media Transport Shared n/a The organization: a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; b. Maintains accountability for information system media during transport outside of controlled areas; c. Documents activities associated with the transport of information system media; and d. Restricts the activities associated with the transport of information system media to authorized personnel. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems. Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. References: FIPS Publication 199; NIST Special Publication 800-60. link 2
NIST_SP_800-53_R4 MP-5(4) NIST_SP_800-53_R4_MP-5(4) NIST SP 800-53 Rev. 4 MP-5 (4) Media Protection Cryptographic Protection Shared n/a The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. Supplemental Guidance: This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). Related control: MP-2. References: FIPS Publication 199; NIST Special Publication 800-60. link 2
NIST_SP_800-53_R4 PE-16 NIST_SP_800-53_R4_PE-16 NIST SP 800-53 Rev. 4 PE-16 Physical And Environmental Protection Delivery And Removal Shared n/a The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. Supplemental Guidance: Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. References: None. link 2
NIST_SP_800-53_R5 MP-5 NIST_SP_800-53_R5_MP-5 NIST SP 800-53 Rev. 5 MP-5 Media Protection Media Transport Shared n/a a. Protect and control [Assignment: organization-defined types of system media] during transport outside of controlled areas using [Assignment: organization-defined controls]; b. Maintain accountability for system media during transport outside of controlled areas; c. Document activities associated with the transport of system media; and d. Restrict the activities associated with the transport of system media to authorized personnel. link 2
NIST_SP_800-53_R5 PE-16 NIST_SP_800-53_R5_PE-16 NIST SP 800-53 Rev. 5 PE-16 Physical and Environmental Protection Delivery and Removal Shared n/a a. Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and b. Maintain records of the system components. link 2
PCI_DSS_v4.0 9.4.3 PCI_DSS_v4.0_9.4.3 PCI DSS v4.0 9.4.3 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Media with cardholder data sent outside the facility is secured as follows: • Media sent outside the facility is logged. • Media is sent by secured courier or other delivery method that can be accurately tracked. • Offsite tracking logs include details about media location. link 2
PCI_DSS_v4.0 9.4.4 PCI_DSS_v4.0_9.4.4 PCI DSS v4.0 9.4.4 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals). link 2
SOC_2 CC6.7 SOC_2_CC6.7 SOC 2 Type 2 CC6.7 Logical and Physical Access Controls Restrict the movement of information to authorized users Shared The customer is responsible for implementing this recommendation. • Restricts the Ability to Perform Transmission — Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement, and removal of information. • Uses Encryption Technologies or Secure Communication Channels to Protect Data — Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. • Protects Removal Media — Encryption technologies and physical asset protections are used for removable media (such as USB drives and backup tapes), as appropriate. • Protects Mobile Devices — Processes are in place to protect mobile devices (such as laptops, smart phones, and tablets) that serve as information assets 30
SWIFT_CSCF_v2022 2.5 SWIFT_CSCF_v2022_2.5 SWIFT CSCF v2022 2.5 2. Reduce Attack Surface and Vulnerabilities Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. Shared n/a Sensitive SWIFT-related data that leaves the secure zone as a result of operating system/application back-ups, business transaction data replication for archiving or recovery purposes, or extraction for offline processing is protected when stored outside of a secure zone and is encrypted while in transit. link 7
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 4ac81669-00e2-9790-8648-71bc11bc91eb
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON
changes

JSON