Name/Id: CMA_0358 / CMA_0358 Category: Operational Title: Manage compliance activities Ownership: Customer Description: Microsoft recommends that your organization establish an Internal Audit and Compliance Program to oversee, monitor, and report on your organization's compliance obligations with organizational policies and procedures, regulatory frameworks, standards, and applicable legislation. It is recommended that the compliance management function(s) perform assessments to audit such compliance on a periodic basis. Microsoft recommends that your organization develop and implement an organization-wide strategy for continuously monitoring control effectiveness. Your organization may also consider obtaining legal advice related to legislative requirements.
An important aspect of risk management is the ability to monitor the security and privacy posture across the organization and the effectiveness of controls implemented within or inherited by organizational systems on an ongoing basis. An effective organization-wide continuous monitoring strategy is recommended to carry out such monitoring efficiently and cost-effectively. Continuous monitoring strategies can also include supply chain risk considerations. We recommend that the continuous monitoring strategy:
- Address monitoring requirements of your organization, mission/business process, and information system levels
- Identify the minimum monitoring frequency for implemented controls across the organization
- Define the ongoing control assessment approach
- Describe how ongoing assessments are to be conducted
- Define the monitoring frequency for each control
- Validate the consistent establishment of policies and operation of implemented controls
It is recommended that after an initial system or common control authorization, your organization assess all controls on an ongoing basis. It is recommended that an ongoing control assessment continue as the information generated as part of continuous monitoring is correlated, analyzed, and reported to senior leaders. Microsoft advises that to achieve near real-time risk management, your organization update security and privacy plans, security, and privacy assessment reports, and plans of action and milestones on an ongoing basis. It is recommended to report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy to determine whether the risk remains acceptable. We recommended that your organization implement a system disposal strategy and execute required actions when a system is removed from operation. It is recommended that your organization or third party display registered certifications and required licenses while carrying out any activities.
The Ohio Data Protection Act (SB 220) requires organizations to establish a cybersecurity program aligned with current versions of industry recognized cybersecurity frameworks like NIST, FISMA, HITECH, FedRAMP security assessment framework, center for internet security critical security controls for effective cyber defense and ISO/IEC 27000 family.
The New Zealand Information Security Manual (NZISM) states that system owners seeking a dispensation for non-compliance with controls listed in the manual must obtain the dispensation from their Accreditation Authority. This Authority would be the Director-General GCSB or a formal delegate in the case of High-Grade Cryptographic Systems (HGCS). The NZISM also requires that physical security certifications in scope for an audit have been awarded by an appropriate physical security certification authority and are less than three (3) years old at the time of the audit. Additionally, the NZISM requires Agencies to always maintain control under a New Zealand national working for the New Zealand government of systems processing, storing or communicating NZEO information. Requirements: The customer is responsible for implementing this recommendation.
Default Manual Allowed Manual, Disabled
Rule resource types
IF (1) Microsoft.Resources/subscriptions
The following 5 compliance controls are associated with this Policy definition 'Manage compliance activities' (4e400494-53a5-5147-6f4d-718b539c7394)
Requirement 12: Support Information Security with Organizational Policies and Programs
PCI DSS compliance is managed
Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include:
• Overall accountability for maintaining PCI DSS compliance.
• Defining a charter for a PCI DSS compliance program and communication to executive management.