last sync: 2024-Jun-14 18:20:16 UTC

Manage compliance activities | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Manage compliance activities
Id 4e400494-53a5-5147-6f4d-718b539c7394
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0358 - Manage compliance activities
Additional metadata Name/Id: CMA_0358 / CMA_0358
Category: Operational
Title: Manage compliance activities
Ownership: Customer
Description: Microsoft recommends that your organization establish an Internal Audit and Compliance Program to oversee, monitor, and report on your organization's compliance obligations with organizational policies and procedures, regulatory frameworks, standards, and applicable legislation. It is recommended that the compliance management function(s) perform assessments to audit such compliance on a periodic basis. Microsoft recommends that your organization develop and implement an organization-wide strategy for continuously monitoring control effectiveness. Your organization may also consider obtaining legal advice related to legislative requirements. An important aspect of risk management is the ability to monitor the security and privacy posture across the organization and the effectiveness of controls implemented within or inherited by organizational systems on an ongoing basis. An effective organization-wide continuous monitoring strategy is recommended to carry out such monitoring efficiently and cost-effectively. Continuous monitoring strategies can also include supply chain risk considerations. We recommend that the continuous monitoring strategy: - Address monitoring requirements of your organization, mission/business process, and information system levels - Identify the minimum monitoring frequency for implemented controls across the organization - Define the ongoing control assessment approach - Describe how ongoing assessments are to be conducted - Define the monitoring frequency for each control - Validate the consistent establishment of policies and operation of implemented controls It is recommended that after an initial system or common control authorization, your organization assess all controls on an ongoing basis. It is recommended that an ongoing control assessment continue as the information generated as part of continuous monitoring is correlated, analyzed, and reported to senior leaders. Microsoft advises that to achieve near real-time risk management, your organization update security and privacy plans, security, and privacy assessment reports, and plans of action and milestones on an ongoing basis. It is recommended to report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy to determine whether the risk remains acceptable. We recommended that your organization implement a system disposal strategy and execute required actions when a system is removed from operation. It is recommended that your organization or third party display registered certifications and required licenses while carrying out any activities. The Ohio Data Protection Act (SB 220) requires organizations to establish a cybersecurity program aligned with current versions of industry recognized cybersecurity frameworks like NIST, FISMA, HITECH, FedRAMP security assessment framework, center for internet security critical security controls for effective cyber defense and ISO/IEC 27000 family. The New Zealand Information Security Manual (NZISM) states that system owners seeking a dispensation for non-compliance with controls listed in the manual must obtain the dispensation from their Accreditation Authority. This Authority would be the Director-General GCSB or a formal delegate in the case of High-Grade Cryptographic Systems (HGCS). The NZISM also requires that physical security certifications in scope for an audit have been awarded by an appropriate physical security certification authority and are less than three (3) years old at the time of the audit. Additionally, the NZISM requires Agencies to always maintain control under a New Zealand national working for the New Zealand government of systems processing, storing or communicating NZEO information.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 8 compliance controls are associated with this Policy definition 'Manage compliance activities' (4e400494-53a5-5147-6f4d-718b539c7394)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 1901.06d1Organizational.1-06.d hipaa-1901.06d1Organizational.1-06.d 1901.06d1Organizational.1-06.d 19 Data Protection & Privacy 1901.06d1Organizational.1-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization has formally appointed a qualified data protection officer, reporting to senior management, and who is directly and fully responsible for the privacy of covered information. 3
hipaa 19134.05j1Organizational.5-05.j hipaa-19134.05j1Organizational.5-05.j 19134.05j1Organizational.5-05.j 19 Data Protection & Privacy 19134.05j1Organizational.5-05.j 05.02 External Parties Shared n/a The public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official. 12
ISO27001-2013 A.18.1.4 ISO27001-2013_A.18.1.4 ISO 27001:2013 A.18.1.4 Compliance Privacy and protection of personally identifiable information Shared n/a Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. link 6
ISO27001-2013 A.5.1.1 ISO27001-2013_A.5.1.1 ISO 27001:2013 A.5.1.1 Information Security Policies Policies for information security Shared n/a A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. link 42
mp.info.1 Personal data mp.info.1 Personal data 404 not found n/a n/a 33
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
PCI_DSS_v4.0 12.4.1 PCI_DSS_v4.0_12.4.1 PCI DSS v4.0 12.4.1 Requirement 12: Support Information Security with Organizational Policies and Programs PCI DSS compliance is managed Shared n/a Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include: • Overall accountability for maintaining PCI DSS compliance. • Defining a charter for a PCI DSS compliance program and communication to executive management. link 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 4e400494-53a5-5147-6f4d-718b539c7394
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC