last sync: 2024-Apr-19 17:43:58 UTC

Govern compliance of cloud service providers | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Govern compliance of cloud service providers
Id 5c33538e-02f8-0a7f-998b-a4c1e22076d3
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0290 - Govern compliance of cloud service providers
Additional metadata Name/Id: CMA_0290 / CMA_0290
Category: Operational
Title: Govern compliance of cloud service providers
Ownership: Customer
Description: Microsoft recommends that your organization ensure that Cloud Service Providers implement adequate cloud security controls. It is also recommended that your organization leverage the Service Trust Portal to verify the implementation by Microsoft of agreed controls. Your organization should also consider accessing reports of independent auditors verifying implementation which are available to Microsoft customers in the Service Trust Portal. Access audit reports: https://servicetrust.microsoft.com/
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 13 compliance controls are associated with this Policy definition 'Govern compliance of cloud service providers' (5c33538e-02f8-0a7f-998b-a4c1e22076d3)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CM-6(1) FedRAMP_High_R4_CM-6(1) FedRAMP High CM-6 (1) Configuration Management Automated Central Management / Application / Verification Shared n/a The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. Supplemental Guidance: Related controls: CA-7, CM-4. link 3
FedRAMP_Moderate_R4 CM-6(1) FedRAMP_Moderate_R4_CM-6(1) FedRAMP Moderate CM-6 (1) Configuration Management Automated Central Management / Application / Verification Shared n/a The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. Supplemental Guidance: Related controls: CA-7, CM-4. link 3
hipaa 0228.09k2Organizational.3-09.k hipaa-0228.09k2Organizational.3-09.k 0228.09k2Organizational.3-09.k 02 Endpoint Protection 0228.09k2Organizational.3-09.k 09.04 Protection Against Malicious and Mobile Code Shared n/a Rules for the migration of software from development to operational status are defined and documented by the organization hosting the affected application(s), including that development, test, and operational systems are separated (physically or virtually) to reduce the risks of unauthorized access or changes to the operational system. 11
hipaa 0603.06g2Organizational.1-06.g hipaa-0603.06g2Organizational.1-06.g 0603.06g2Organizational.1-06.g 06 Configuration Management 0603.06g2Organizational.1-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a Automated compliance tools are used when possible. 6
hipaa 0618.09b1System.1-09.b hipaa-0618.09b1System.1-09.b 0618.09b1System.1-09.b 06 Configuration Management 0618.09b1System.1-09.b 09.01 Documented Operating Procedures Shared n/a Changes to information assets, including systems, networks, and network services, are controlled and archived. 16
hipaa 0644.10k3Organizational.4-10.k hipaa-0644.10k3Organizational.4-10.k 0644.10k3Organizational.4-10.k 06 Configuration Management 0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes Shared n/a The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and, (iii) enforce access restrictions and auditing of the enforcement actions. 20
hipaa 0710.10m2Organizational.1-10.m hipaa-0710.10m2Organizational.1-10.m 0710.10m2Organizational.1-10.m 07 Vulnerability Management 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management Shared n/a A hardened configuration standard exists for all system and network components. 9
hipaa 1791.10a2Organizational.6-10.a hipaa-1791.10a2Organizational.6-10.a 1791.10a2Organizational.6-10.a 17 Risk Management 1791.10a2Organizational.6-10.a 10.01 Security Requirements of Information Systems Shared n/a Specifications for the security control requirements state automated controls will be incorporated in the information system, supplemented by manual controls as needed, as evidenced throughout the SDLC. 5
ISO27001-2013 A.12.5.1 ISO27001-2013_A.12.5.1 ISO 27001:2013 A.12.5.1 Operations Security Installation of software on operational systems Shared n/a Procedures shall be implemented to control the installation of software on operational systems. link 19
ISO27001-2013 A.12.6.2 ISO27001-2013_A.12.6.2 ISO 27001:2013 A.12.6.2 Operations Security Restrictions on software installation Shared n/a Rules governing the installation of software by users shall be established and implemented. link 19
NIST_SP_800-171_R2_3 .4.2 NIST_SP_800-171_R2_3.4.2 NIST SP 800-171 R2 3.4.2 Configuration Management Establish and enforce security configuration settings for information technology products employed in organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. [SP 800-70] and [SP 800-128] provide guidance on security configuration settings. link 25
NIST_SP_800-53_R4 CM-6(1) NIST_SP_800-53_R4_CM-6(1) NIST SP 800-53 Rev. 4 CM-6 (1) Configuration Management Automated Central Management / Application / Verification Shared n/a The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. Supplemental Guidance: Related controls: CA-7, CM-4. link 3
NIST_SP_800-53_R5 CM-6(1) NIST_SP_800-53_R5_CM-6(1) NIST SP 800-53 Rev. 5 CM-6 (1) Configuration Management Automated Management, Application, and Verification Shared n/a Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. link 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 5c33538e-02f8-0a7f-998b-a4c1e22076d3
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC