last sync: 2024-Jun-13 18:14:14 UTC

Require developers to provide training | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Require developers to provide training
Id 676c3c35-3c36-612c-9523-36d266a65000
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1611 - Require developers to provide training
Additional metadata Name/Id: CMA_C1611 / CMA_C1611
Category: Documentation
Title: Require developers to provide training
Ownership: Customer
Description: The customer is responsible for requiring the developer of customer-deployed resources to provide customer-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms for the resources provided.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 5 compliance controls are associated with this Policy definition 'Require developers to provide training' (676c3c35-3c36-612c-9523-36d266a65000)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-16 FedRAMP_High_R4_SA-16 FedRAMP High SA-16 System And Services Acquisition Developer-Provided Training Shared n/a The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms. Supplemental Guidance: This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self- training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms. Related controls: AT-2, AT-3, SA-5. References: None. link 1
hipaa 0108.02d1Organizational.23-02.d hipaa-0108.02d1Organizational.23-02.d 0108.02d1Organizational.23-02.d 01 Information Protection Program 0108.02d1Organizational.23-02.d 02.03 During Employment Shared n/a The organization ensures plans for security testing, training, and monitoring activities are developed, implemented, maintained, and reviewed for consistency with the risk management strategy and response priorities. 8
hipaa 1304.02e3Organizational.1-02.e hipaa-1304.02e3Organizational.1-02.e 1304.02e3Organizational.1-02.e 13 Education, Training and Awareness 1304.02e3Organizational.1-02.e 02.03 During Employment Shared n/a Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities: (i) prior to being granted access to the organization’s systems and resources; (ii) when required by system changes; (iii) when entering into a new position that requires additional training; and, (iv) no less than annually thereafter. 9
NIST_SP_800-53_R4 SA-16 NIST_SP_800-53_R4_SA-16 NIST SP 800-53 Rev. 4 SA-16 System And Services Acquisition Developer-Provided Training Shared n/a The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms. Supplemental Guidance: This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self- training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms. Related controls: AT-2, AT-3, SA-5. References: None. link 1
NIST_SP_800-53_R5 SA-16 NIST_SP_800-53_R5_SA-16 NIST SP 800-53 Rev. 5 SA-16 System and Services Acquisition Developer-provided Training Shared n/a Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: [Assignment: organization-defined training]. link 1
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 676c3c35-3c36-612c-9523-36d266a65000
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC