last sync: 2024-Oct-03 17:51:34 UTC

Restrict communications | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Restrict communications
Id 5020f3f4-a579-2f28-72a8-283c5a0b15f9
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0449 - Restrict communications
Additional metadata Name/Id: CMA_0449 / CMA_0449
Category: Operational
Title: Restrict communications
Ownership: Customer
Description: Microsoft recommends that your organization restrict communications between two groups or certain people inside your organization in order to avoid a conflict of interest and safeguard internal information. It is recommended that your organization's employees are aware of their responsibilities related to protecting the confidentiality of organizational information. Your organization may also implement restrictions such as requiring encryption for messages sent internally, including via collaboration platforms, email and fax. **How to Use Microsoft Solutions to Implement** Your organization can use the Azure data protection considerations to protect data assets. For more information, please see: https://docs.microsoft.com/azure/architecture/framework/security/design-storage.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 18 compliance controls are associated with this Policy definition 'Restrict communications' (5020f3f4-a579-2f28-72a8-283c5a0b15f9)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 1902.06d1Organizational.2-06.d hipaa-1902.06d1Organizational.2-06.d 1902.06d1Organizational.2-06.d 19 Data Protection & Privacy 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements Shared n/a When required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization. 11
hipaa 19243.06d1Organizational.15-06.d hipaa-19243.06d1Organizational.15-06.d 19243.06d1Organizational.15-06.d 19 Data Protection & Privacy 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization specifies where covered information can be stored. 9
ISO27001-2013 A.10.1.1 ISO27001-2013_A.10.1.1 ISO 27001:2013 A.10.1.1 Cryptography Policy on the use of cryptographic controls Shared n/a A policy on the use of cryptographic controls for protection of information shall be developed and implemented. link 17
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
mp.si.2 Cryptography mp.si.2 Cryptography 404 not found n/a n/a 32
mp.si.4 Transport mp.si.4 Transport 404 not found n/a n/a 24
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
PCI_DSS_v4.0 3.3.1 PCI_DSS_v4.0_3.3.1 PCI DSS v4.0 3.3.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.1 PCI_DSS_v4.0_3.3.1.1 PCI DSS v4.0 3.3.1.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The full contents of any track are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.2 PCI_DSS_v4.0_3.3.1.2 PCI DSS v4.0 3.3.1.2 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The card verification code is not retained upon completion of the authorization process. link 5
PCI_DSS_v4.0 3.3.1.3 PCI_DSS_v4.0_3.3.1.3 PCI DSS v4.0 3.3.1.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.3 PCI_DSS_v4.0_3.3.3 PCI DSS v4.0 3.3.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is: • Limited to that which is needed for a legitimate issuing business need and is secured. • Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. link 13
PCI_DSS_v4.0 3.4.1 PCI_DSS_v4.0_3.4.1 PCI DSS v4.0 3.4.1 Requirement 03: Protect Stored Account Data Access to displays of full PAN and ability to copy cardholder data are restricted Shared n/a PAN is masked when displayed (the BIN and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN. link 3
PCI_DSS_v4.0 3.4.2 PCI_DSS_v4.0_3.4.2 PCI DSS v4.0 3.4.2 Requirement 03: Protect Stored Account Data Access to displays of full PAN and ability to copy cardholder data are restricted Shared n/a When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need. link 3
SOC_2 CC2.3 SOC_2_CC2.3 SOC 2 Type 2 CC2.3 Communication and Information COSO Principle 15 Shared The customer is responsible for implementing this recommendation. Communicates to External Parties — Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. • Enables Inbound Communications — Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. • Communicates With the Board of Directors — Relevant information resulting from assessments conducted by external parties is communicated to the board of directors. • Provides Separate Communication Lines — Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. • Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. Additional point of focus that applies only to an engagement using the trust services criteria for confidentiality: • Communicates Objectives Related to Confidentiality and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality.Page 20 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS Additional point of focus that applies only to an engagement using the trust services criteria for privacy: • Communicates Objectives Related to Privacy and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: • Communicates Information About System Operation and Boundaries — The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. • Communicates System Objectives — The entity communicates its system objectives to appropriate external users. • Communicates System Responsibilities — External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities. • Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters — External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel. 14
SOC_2 P4.1 SOC_2_P4.1 SOC 2 Type 2 P4.1 Additional Criteria For Privacy Personal information use Shared The customer is responsible for implementing this recommendation. • Uses Personal Information for Intended Purposes — Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained, unless a law or regulation specifically requires otherwise. 5
SOC_2 P6.7 SOC_2_P6.7 SOC 2 Type 2 P6.7 Additional Criteria For Privacy Accounting of disclosure of personal information Shared The customer is responsible for implementing this recommendation. • Identifies Types of Personal Information and Handling Process — The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified. • Captures, Identifies, and Communicates Requests for Information — Requests for an accounting of personal information held and disclosures of the data subjects’ personal information are captured and information related to the requests is identified and communicated to data subjects to meet the entity’s objectives related to privacy. 5
SOC_2 PI1.1 SOC_2_PI1.1 SOC 2 Type 2 PI1.1 Additional Criteria For Processing Integrity Data processing definitions Shared The customer is responsible for implementing this recommendation. • Identifies Information Specifications — The entity identifies information specifications required to support the use of products and services. • Defines Data Necessary to Support a Product or Service — When data is provided as part of a service or product or as part of a reporting obligation related to a product or service: 1. The definition of the data is available to the users of the data 2. The definition of the data includes the following information: a. The population of events or instances included in the data b. The nature of each element (for example, field) of the data (that is, the event or instance to which the data element relates, for example, transaction price of a sale of XYZ Corporation stock for the last trade in that stock on a given day) c. Source(s) of the data d. The unit(s) of measurement of data elements (for example, fields) e. The accuracy/correctness/precision of measurement f. The uncertainty or confidence interval inherent in each data element and in the population of those elements g. The date the data was observed or the period of time during which the events relevant to the data occurred h. The factors in addition to the date and period of time used to determine the inclusion and exclusion of items in the data elements and population 3. The definition is complete and accurate. 4. The description of the data identifies any information that is necessary to understand each data element and the population in a manner consistent with its definition and intended purpose (metadata) that has not been included within the data. The following point of focus, which applies only to an engagement using the trust services criteria for processing integrity for a system that produces, manufactures, or distributes products, highlights important characteristics relating to this criterion: • Defines Information Necessary to Support the Use of a Good or Product — When information provided by the entity is needed to use the good or product in accordance with its specifications: 1. The required information is available to the user of the good or product. 2. The required information is clearly identifiable. 3. The required information is validated for completeness and accuracy 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 5020f3f4-a579-2f28-72a8-283c5a0b15f9
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC