last sync: 2024-Apr-19 17:43:58 UTC

Develop access control policies and procedures | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Develop access control policies and procedures
Id 59f7feff-02aa-6539-2cf7-bea75b762140
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0144 - Develop access control policies and procedures
Additional metadata Name/Id: CMA_0144 / CMA_0144
Category: Documentation
Title: Develop access control policies and procedures
Ownership: Customer
Description: Microsoft recommends that your organization develop, document, maintain, and distribute Access Control policies and standard operating procedures to govern your organization's access management activities. We recommend that the Access Control policies and standard operating procedures address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. It is recommended to distribute these policies and standard operating procedures to organizationally defined personnel or roles. Microsoft recommends to only grant access to IT systems based on a documented and approved request and on a need-to-use basis. We also recommend that access to IT systems is revoked or disabled in accordance with the service-level agreement (SLA) when the access is no longer required. Various financial regulations recommend that user access to IT systems, including sub-contractor access, is reviewed periodically in accordance with a frequency agreed with Financial Institutions (FIs). They also recommend that your organization implement error prevention and detection controls, such as reconciliations, “maker-checker” reviews, and error correction mechanisms for key processes. It is recommended that access to operating systems is secured by a log on procedure. Microsoft recommends to only grant access to IT systems based on a documented and approved request and on a need-to-use basis. We also recommend that access to IT systems is revoked or disabled in accordance with the service-level agreement (SLA) when the access is no longer required.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 23 compliance controls are associated with this Policy definition 'Develop access control policies and procedures' (59f7feff-02aa-6539-2cf7-bea75b762140)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AC-1 FedRAMP_High_R4_AC-1 FedRAMP High AC-1 Access Control Access Control Policy And Procedures Shared n/a The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. link 4
FedRAMP_Moderate_R4 AC-1 FedRAMP_Moderate_R4_AC-1 FedRAMP Moderate AC-1 Access Control Access Control Policy And Procedures Shared n/a The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. link 4
hipaa 1780.10a1Organizational.1-10.a hipaa-1780.10a1Organizational.1-10.a 1780.10a1Organizational.1-10.a 17 Risk Management 1780.10a1Organizational.1-10.a 10.01 Security Requirements of Information Systems Shared n/a The organization formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance with system and information integrity requirements and facilitates the implementation of system and information integrity requirements/controls. 3
ISO27001-2013 A.12.1.1 ISO27001-2013_A.12.1.1 ISO 27001:2013 A.12.1.1 Operations Security Documented operating procedures Shared n/a Operating procedures shall be documented and made available to all users who need them. link 31
ISO27001-2013 A.18.1.1 ISO27001-2013_A.18.1.1 ISO 27001:2013 A.18.1.1 Compliance Identification applicable legislation and contractual requirements Shared n/a All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. link 30
ISO27001-2013 A.18.2.2 ISO27001-2013_A.18.2.2 ISO 27001:2013 A.18.2.2 Compliance Compliance with security policies and standards Shared n/a Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. link 36
ISO27001-2013 A.5.1.1 ISO27001-2013_A.5.1.1 ISO 27001:2013 A.5.1.1 Information Security Policies Policies for information security Shared n/a A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. link 42
ISO27001-2013 A.5.1.2 ISO27001-2013_A.5.1.2 ISO 27001:2013 A.5.1.2 Information Security Policies Review of the policies for information security Shared n/a The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. link 29
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
ISO27001-2013 A.9.1.1 ISO27001-2013_A.9.1.1 ISO 27001:2013 A.9.1.1 Access Control Access control policy Shared n/a An access control policy shall be established, documented, and reviewed based on business and information security requirements. link 4
ISO27001-2013 C.4.4 ISO27001-2013_C.4.4 ISO 27001:2013 C.4.4 Context of the organization Information security management system Shared n/a The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard. link 5
ISO27001-2013 C.5.1.a ISO27001-2013_C.5.1.a ISO 27001:2013 C.5.1.a Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; link 6
ISO27001-2013 C.5.1.b ISO27001-2013_C.5.1.b ISO 27001:2013 C.5.1.b Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: b) ensuring the integration of the information security management system requirements into the organization’s processes. link 28
ISO27001-2013 C.5.2.a ISO27001-2013_C.5.2.a ISO 27001:2013 C.5.2.a Leadership Policy Shared n/a Top management shall establish an information security policy that: a) is appropriate to the purpose of the organization. link 4
ISO27001-2013 C.5.2.b ISO27001-2013_C.5.2.b ISO 27001:2013 C.5.2.b Leadership Policy Shared n/a Top management shall establish an information security policy that: b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives. link 4
ISO27001-2013 C.5.2.c ISO27001-2013_C.5.2.c ISO 27001:2013 C.5.2.c Leadership Policy Shared n/a Top management shall establish an information security policy that: c) includes a commitment to satisfy applicable requirements related to information security. link 23
ISO27001-2013 C.5.2.d ISO27001-2013_C.5.2.d ISO 27001:2013 C.5.2.d Leadership Policy Shared n/a Top management shall establish an information security policy that: d) includes a commitment to continual improvement of the information security management system. link 23
ISO27001-2013 C.5.2.e ISO27001-2013_C.5.2.e ISO 27001:2013 C.5.2.e Leadership Policy Shared n/a Top management shall establish an information security policy. The information security policy shall: e) be available as documented information. link 4
ISO27001-2013 C.5.2.f ISO27001-2013_C.5.2.f ISO 27001:2013 C.5.2.f Leadership Policy Shared n/a Top management shall establish an information security policy. The information security policy shall: f) be communicated within the organization. link 4
NIST_SP_800-53_R4 AC-1 NIST_SP_800-53_R4_AC-1 NIST SP 800-53 Rev. 4 AC-1 Access Control Access Control Policy And Procedures Shared n/a The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. link 4
NIST_SP_800-53_R5 AC-1 NIST_SP_800-53_R5_AC-1 NIST SP 800-53 Rev. 5 AC-1 Access Control Policy and Procedures Shared n/a a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (OneOrMore): Organization-level;Mission/business process-level;System-level] access control policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the access control policy and the associated access controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and c. Review and update the current access control: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. link 4
PCI_DSS_v4.0 7.1.1 PCI_DSS_v4.0_7.1.1 PCI DSS v4.0 7.1.1 Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood Shared n/a All security policies and operational procedures that are identified in Requirement 7 are: • Documented. • Kept up to date. • In use. • Known to all affected parties. link 4
PCI_DSS_v4.0 7.1.2 PCI_DSS_v4.0_7.1.2 PCI DSS v4.0 7.1.2 Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood Shared n/a Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood. link 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 59f7feff-02aa-6539-2cf7-bea75b762140
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC