last sync: 2024-Oct-07 17:51:17 UTC

Implement formal sanctions process | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Implement formal sanctions process
Id 5decc032-95bd-2163-9549-a41aba83228e
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0317 - Implement formal sanctions process
Additional metadata Name/Id: CMA_0317 / CMA_0317
Category: Operational
Title: Implement formal sanctions process
Ownership: Customer
Description: Microsoft recommends that your organization implement a formal sanctions process for users who fail to comply with your organization's established information security policies and standard operating procedures. Your organization should consider creating and maintaining Personnel Security policies and standard operating procedures that include details on the repercussions for users who fail to comply with established information security policies and procedures and the formal sanctions process.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 15 compliance controls are associated with this Policy definition 'Implement formal sanctions process' (5decc032-95bd-2163-9549-a41aba83228e)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PS-8 FedRAMP_High_R4_PS-8 FedRAMP High PS-8 Personnel Security Personnel Sanctions Shared n/a The organization: a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. Supplemental Guidance: Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6. Control Enhancements: None. References: None. link 2
FedRAMP_Moderate_R4 PS-8 FedRAMP_Moderate_R4_PS-8 FedRAMP Moderate PS-8 Personnel Security Personnel Sanctions Shared n/a The organization: a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. Supplemental Guidance: Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6. Control Enhancements: None. References: None. link 2
hipaa 0109.02d1Organizational.4-02.d hipaa-0109.02d1Organizational.4-02.d 0109.02d1Organizational.4-02.d 01 Information Protection Program 0109.02d1Organizational.4-02.d 02.03 During Employment Shared n/a Management ensures users are (i) briefed on their security role(s)/responsibilities, conform with the terms and conditions of employment prior to obtaining access to the organization’s information systems; (ii) provided with guidelines regarding the security expectations of their roles; (iii) motivated to comply with security policies; and, (iv) continue to have the appropriate skills and qualifications for their role(s). 20
hipaa 0135.02f1Organizational.56-02.f hipaa-0135.02f1Organizational.56-02.f 0135.02f1Organizational.56-02.f 01 Information Protection Program 0135.02f1Organizational.56-02.f 02.03 During Employment Shared n/a The organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures, and notifies defined personnel (e.g., supervisors) within a defined time frame (e.g., 24 hours) when a formal sanction process is initiated, identifying the individual sanctioned and the reason for the sanction. Further, the organization includes specific procedures for license, registration, and certification denial or revocation and other disciplinary action. 4
hipaa 1306.06e1Organizational.5-06.e hipaa-1306.06e1Organizational.5-06.e 1306.06e1Organizational.5-06.e 13 Education, Training and Awareness 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements Shared n/a Employees and contractors are informed in writing that violations of the security policies will result in sanctions or disciplinary action. 11
hipaa 1501.02f1Organizational.123-02.f hipaa-1501.02f1Organizational.123-02.f 1501.02f1Organizational.123-02.f 15 Incident Management 1501.02f1Organizational.123-02.f 02.03 During Employment Shared n/a Sanctions are fairly applied to employees following violations of the information security policies once a breach is verified and includes consideration of multiple factors. The organization documents personnel involved in incidents, steps taken, and the timeline associated with those steps, steps taken for notification, the rationale for discipline, and the final outcome for each incident. 11
hipaa 1503.02f2Organizational.12-02.f hipaa-1503.02f2Organizational.12-02.f 1503.02f2Organizational.12-02.f 15 Incident Management 1503.02f2Organizational.12-02.f 02.03 During Employment Shared n/a A contact in HR is appointed to handle employee security incidents and notify the CISO or a designated representative of the application of a formal employee sanctions process, identifying the individual and the reason for the sanction. 11
hipaa 1504.06e1Organizational.34-06.e hipaa-1504.06e1Organizational.34-06.e 1504.06e1Organizational.34-06.e 15 Incident Management 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements Shared n/a Management approves the use of information assets and takes appropriate action when unauthorized activity occurs. 16
hipaa 1525.11a1Organizational.6-11.a hipaa-1525.11a1Organizational.6-11.a 1525.11a1Organizational.6-11.a 15 Incident Management 1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a The organization takes disciplinary action against workforce members that fail to cooperate with federal and state investigations. 6
ISO27001-2013 A.7.2.3 ISO27001-2013_A.7.2.3 ISO 27001:2013 A.7.2.3 Human Resources Security Disciplinary process Shared n/a There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. link 2
mp.per.2 Duties and obligations mp.per.2 Duties and obligations 404 not found n/a n/a 40
NIST_SP_800-53_R4 PS-8 NIST_SP_800-53_R4_PS-8 NIST SP 800-53 Rev. 4 PS-8 Personnel Security Personnel Sanctions Shared n/a The organization: a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. Supplemental Guidance: Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6. Control Enhancements: None. References: None. link 2
NIST_SP_800-53_R5 PS-8 NIST_SP_800-53_R5_PS-8 NIST SP 800-53 Rev. 5 PS-8 Personnel Security Personnel Sanctions Shared n/a a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and b. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. link 2
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
SOC_2 CC1.5 SOC_2_CC1.5 SOC 2 Type 2 CC1.5 Control Environment COSO Principle 5 Shared The customer is responsible for implementing this recommendation. • Enforces Accountability Through Structures, Authorities, and Responsibilities — Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. • Establishes Performance Measures, Incentives, and Rewards — Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives. • Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance — Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives. • Considers Excessive Pressures — Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance. • Evaluates Performance and Rewards or Disciplines Individuals — Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and Page 17 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS provide rewards or exercise disciplinary action, as appropriate 4
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 5decc032-95bd-2163-9549-a41aba83228e
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC