AzPolicyAdvertizer

last sync: 2023-Jun-02 17:44:47 UTC

Azure Policy definition

Maintain list of authorized remote maintenance personnel

Name Maintain list of authorized remote maintenance personnel
Azure Portal
Id 4ce91e4e-6dab-3c46-011a-aa14ae1561bf
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_C1420 - Maintain list of authorized remote maintenance personnel
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)		 none
Rule
Aliases
Rule
ResourceTypes		 IF (1)
Microsoft.Resources/subscriptions
Compliance The following 8 compliance controls are associated with this Policy definition 'Maintain list of authorized remote maintenance personnel' (4ce91e4e-6dab-3c46-011a-aa14ae1561bf)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 MA-5 FedRAMP_High_R4_MA-5 FedRAMP High MA-5 Maintenance Maintenance Personnel Shared n/a The organization: a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel; b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. Supplemental Guidance: This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3. References: None. link 3
FedRAMP_Moderate_R4 MA-5 FedRAMP_Moderate_R4_MA-5 FedRAMP Moderate MA-5 Maintenance Maintenance Personnel Shared n/a The organization: a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel; b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. Supplemental Guidance: This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3. References: None. link 3
hipaa 18109.08j1Organizational.4-08.j hipaa-18109.08j1Organizational.4-08.j 18109.08j1Organizational.4-08.j 18 Physical & Environmental Security 18109.08j1Organizational.4-08.j 08.02 Equipment Security Shared n/a The organization maintains a list of authorized maintenance organizations or personnel, ensures that non-escorted personnel performing maintenance on the information system have required access authorizations, and designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. 4
hipaa 1819.08j1Organizational.23-08.j hipaa-1819.08j1Organizational.23-08.j 1819.08j1Organizational.23-08.j 18 Physical & Environmental Security 1819.08j1Organizational.23-08.j 08.02 Equipment Security Shared n/a Maintenance and service are controlled and conducted by authorized personnel in accordance with supplier-recommended intervals, insurance policies and the organization’s maintenance program, taking into account whether this maintenance is performed by personnel on site or external to the organization. 7
ISO27001-2013 A.11.1.2 ISO27001-2013_A.11.1.2 ISO 27001:2013 A.11.1.2 Physical And Environmental Security Physical entry controls Shared n/a Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. link 9
NIST_SP_800-171_R2_3 .7.6 NIST_SP_800-171_R2_3.7.6 NIST SP 800-171 R2 3.7.6 Maintenance Supervise the maintenance activities of maintenance personnel without required access authorization. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to individuals who are performing hardware or software maintenance on organizational systems, while 3.10.1 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, consultants, and systems integrators, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Organizations may choose to issue temporary credentials to these individuals based on organizational risk assessments. Temporary credentials may be for one-time use or for very limited time periods. link 3
NIST_SP_800-53_R4 MA-5 NIST_SP_800-53_R4_MA-5 NIST SP 800-53 Rev. 4 MA-5 Maintenance Maintenance Personnel Shared n/a The organization: a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel; b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. Supplemental Guidance: This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3. References: None. link 3
NIST_SP_800-53_R5 MA-5 NIST_SP_800-53_R5_MA-5 NIST SP 800-53 Rev. 5 MA-5 Maintenance Maintenance Personnel Shared n/a a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; b. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and c. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. link 3
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 4ce91e4e-6dab-3c46-011a-aa14ae1561bf
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
JSON