last sync: 2024-Jun-14 18:20:16 UTC

Ensure security categorization is approved | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Ensure security categorization is approved
Id 6c79c3e5-5f7b-a48a-5c7b-8c158bc01115
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1540 - Ensure security categorization is approved
Additional metadata Name/Id: CMA_C1540 / CMA_C1540
Category: Documentation
Title: Ensure security categorization is approved
Ownership: Customer
Description: The customer is responsible for ensuring the security categorization decision is reviewed and approved by the authorizing official (AO) or designated representative responsible.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 10 compliance controls are associated with this Policy definition 'Ensure security categorization is approved' (6c79c3e5-5f7b-a48a-5c7b-8c158bc01115)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 RA-2 FedRAMP_High_R4_RA-2 FedRAMP High RA-2 Risk Assessment Security Categorization Shared n/a The organization: a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. Control Enhancements: None. References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. link 4
FedRAMP_Moderate_R4 RA-2 FedRAMP_Moderate_R4_RA-2 FedRAMP Moderate RA-2 Risk Assessment Security Categorization Shared n/a The organization: a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. Control Enhancements: None. References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. link 4
hipaa 0901.09s1Organizational.1-09.s hipaa-0901.09s1Organizational.1-09.s 0901.09s1Organizational.1-09.s 09 Transmission Protection 0901.09s1Organizational.1-09.s 09.08 Exchange of Information Shared n/a The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. 31
hipaa 19143.06c1Organizational.9-06.c hipaa-19143.06c1Organizational.9-06.c 19143.06c1Organizational.9-06.c 19 Data Protection & Privacy 19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements Shared n/a Designated senior management within the organization reviews and approves the security categorizations and associated guidelines. 6
ISO27001-2013 A.8.2.1 ISO27001-2013_A.8.2.1 ISO 27001:2013 A.8.2.1 Asset Management Classification of information Shared n/a Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. link 5
mp.eq.4 Other devices connected to the network mp.eq.4 Other devices connected to the network 404 not found n/a n/a 35
mp.info.2 Rating of information mp.info.2 Rating of information 404 not found n/a n/a 45
mp.si.1 Marking mp.si.1 Marking 404 not found n/a n/a 7
NIST_SP_800-53_R4 RA-2 NIST_SP_800-53_R4_RA-2 NIST SP 800-53 Rev. 4 RA-2 Risk Assessment Security Categorization Shared n/a The organization: a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. Control Enhancements: None. References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. link 4
NIST_SP_800-53_R5 RA-2 NIST_SP_800-53_R5_RA-2 NIST SP 800-53 Rev. 5 RA-2 Risk Assessment Security Categorization Shared n/a a. Categorize the system and information it processes, stores, and transmits; b. Document the security categorization results, including supporting rationale, in the security plan for the system; and c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. link 4
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 6c79c3e5-5f7b-a48a-5c7b-8c158bc01115
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC