AzPolicyAdvertizer

last sync: 2023-Dec-06 18:52:29 UTC

Azure Policy definition

Manage compliance activities | Regulatory Compliance - Operational

Source

Azure Portal

Display name

Manage compliance activities

4e400494-53a5-5147-6f4d-718b539c7394

Version

1.1.0
Details on versioning

Category

Regulatory Compliance
Microsoft Learn

Description

CMA_0358 - Manage compliance activities

Additional metadata

Name/Id: CMA_0358 / CMA_0358
Category: Operational
Title: Manage compliance activities
Ownership: Customer
Description: Microsoft recommends that your organization establish an Internal Audit and Compliance Program to oversee, monitor, and report on your organization's compliance obligations with organizational policies and procedures, regulatory frameworks, standards, and applicable legislation. It is recommended that the compliance management function(s) perform assessments to audit such compliance on a periodic basis. Microsoft recommends that your organization develop and implement an organization-wide strategy for continuously monitoring control effectiveness. Your organization may also consider obtaining legal advice related to legislative requirements. An important aspect of risk management is the ability to monitor the security and privacy posture across the organization and the effectiveness of controls implemented within or inherited by organizational systems on an ongoing basis. An effective organization-wide continuous monitoring strategy is recommended to carry out such monitoring efficiently and cost-effectively. Continuous monitoring strategies can also include supply chain risk considerations. We recommend that the continuous monitoring strategy: - Address monitoring requirements of your organization, mission/business process, and information system levels - Identify the minimum monitoring frequency for implemented controls across the organization - Define the ongoing control assessment approach - Describe how ongoing assessments are to be conducted - Define the monitoring frequency for each control - Validate the consistent establishment of policies and operation of implemented controls It is recommended that after an initial system or common control authorization, your organization assess all controls on an ongoing basis. It is recommended that an ongoing control assessment continue as the information generated as part of continuous monitoring is correlated, analyzed, and reported to senior leaders. Microsoft advises that to achieve near real-time risk management, your organization update security and privacy plans, security, and privacy assessment reports, and plans of action and milestones on an ongoing basis. It is recommended to report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy to determine whether the risk remains acceptable. We recommended that your organization implement a system disposal strategy and execute required actions when a system is removed from operation. It is recommended that your organization or third party display registered certifications and required licenses while carrying out any activities. The Ohio Data Protection Act (SB 220) requires organizations to establish a cybersecurity program aligned with current versions of industry recognized cybersecurity frameworks like NIST, FISMA, HITECH, FedRAMP security assessment framework, center for internet security critical security controls for effective cyber defense and ISO/IEC 27000 family. The New Zealand Information Security Manual (NZISM) states that system owners seeking a dispensation for non-compliance with controls listed in the manual must obtain the dispensation from their Accreditation Authority. This Authority would be the Director-General GCSB or a formal delegate in the case of High-Grade Cryptographic Systems (HGCS). The NZISM also requires that physical security certifications in scope for an audit have been awarded by an appropriate physical security certification authority and are less than three (3) years old at the time of the audit. Additionally, the NZISM requires Agencies to always maintain control under a New Zealand national working for the New Zealand government of systems processing, storing or communicating NZEO information.
Requirements: The customer is responsible for implementing this recommendation.

Mode

All

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Manual
Allowed
Manual, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (1)
Microsoft.Resources/subscriptions

Compliance

The following 5 compliance controls are associated with this Policy definition 'Manage compliance activities' (4e400494-53a5-5147-6f4d-718b539c7394)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
hipaa	1901.06d1Organizational.1-06.d	hipaa-1901.06d1Organizational.1-06.d	1901.06d1Organizational.1-06.d	19 Data Protection & Privacy	1901.06d1Organizational.1-06.d 06.01 Compliance with Legal Requirements	Shared	n/a	The organization has formally appointed a qualified data protection officer, reporting to senior management, and who is directly and fully responsible for the privacy of covered information.		3
hipaa	19134.05j1Organizational.5-05.j	hipaa-19134.05j1Organizational.5-05.j	19134.05j1Organizational.5-05.j	19 Data Protection & Privacy	19134.05j1Organizational.5-05.j 05.02 External Parties	Shared	n/a	The public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official.		12
ISO27001-2013	A.18.1.4	ISO27001-2013_A.18.1.4	ISO 27001:2013 A.18.1.4	Compliance	Privacy and protection of personally identifiable information	Shared	n/a	Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.	link	6
ISO27001-2013	A.5.1.1	ISO27001-2013_A.5.1.1	ISO 27001:2013 A.5.1.1	Information Security Policies	Policies for information security	Shared	n/a	A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.	link	42
PCI_DSS_v4.0	12.4.1	PCI_DSS_v4.0_12.4.1	PCI DSS v4.0 12.4.1	Requirement 12: Support Information Security with Organizational Policies and Programs	PCI DSS compliance is managed	Shared	n/a	Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include: • Overall accountability for maintaining PCI DSS compliance. • Defining a charter for a PCI DSS compliance program and communication to executive management.	link	5

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA	BuiltIn
ISO 27001:2013	89c6cddc-1c73-4ac1-b19c-54d1a15a42f2	Regulatory Compliance	GA	BuiltIn
PCI DSS v4	c676748e-3af9-4e22-bc28-50feed564afb	Regulatory Compliance	GA	BuiltIn

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-27 16:35:32	change	Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40	add	4e400494-53a5-5147-6f4d-718b539c7394

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC