last sync: 2024-Jun-14 18:20:16 UTC

Allocate resources in determining information system requirements | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Allocate resources in determining information system requirements
Id 90a156a6-49ed-18d1-1052-69aac27c05cd
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1561 - Allocate resources in determining information system requirements
Additional metadata Name/Id: CMA_C1561 / CMA_C1561
Category: Documentation
Title: Allocate resources in determining information system requirements
Ownership: Customer
Description: The customer is responsible for allocating resources for information security of customer-deployed resources in mission/business process planning.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 9 compliance controls are associated with this Policy definition 'Allocate resources in determining information system requirements' (90a156a6-49ed-18d1-1052-69aac27c05cd)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-2 FedRAMP_High_R4_SA-2 FedRAMP High SA-2 System And Services Acquisition Allocation Of Resources Shared n/a The organization: a. Determines information security requirements for the information system or information system service in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and c. Establishes a discrete line item for information security in organizational programming and budgeting documentation. Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. Control Enhancements: None. References: NIST Special Publication 800-65. link 6
FedRAMP_Moderate_R4 SA-2 FedRAMP_Moderate_R4_SA-2 FedRAMP Moderate SA-2 System And Services Acquisition Allocation Of Resources Shared n/a The organization: a. Determines information security requirements for the information system or information system service in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and c. Establishes a discrete line item for information security in organizational programming and budgeting documentation. Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. Control Enhancements: None. References: NIST Special Publication 800-65. link 6
hipaa 0120.05a1Organizational.4-05.a hipaa-0120.05a1Organizational.4-05.a 0120.05a1Organizational.4-05.a 01 Information Protection Program 0120.05a1Organizational.4-05.a 05.01 Internal Organization Shared n/a Capital planning and investment requests include the resources needed to implement the security program, employ a business case (or Exhibit 300 and/or 53 for federal government); and the organization ensures the resources are available for expenditure as planned. 8
ISO27001-2013 A.6.1.5 ISO27001-2013_A.6.1.5 ISO 27001:2013 A.6.1.5 Organization of Information Security Information security in project management Shared n/a Information security shall be addressed in project management, regardless of the type of the project. link 25
ISO27001-2013 C.5.1.c ISO27001-2013_C.5.1.c ISO 27001:2013 C.5.1.c Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: c) ensuring that the resources needed for the information security management system are available. link 10
ISO27001-2013 C.5.1.f ISO27001-2013_C.5.1.f ISO 27001:2013 C.5.1.f Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: f) directing and supporting persons to contribute to the effectiveness of the information security management system. link 9
ISO27001-2013 C.7.1 ISO27001-2013_C.7.1 ISO 27001:2013 C.7.1 Support Resources Shared n/a The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. link 7
NIST_SP_800-53_R4 SA-2 NIST_SP_800-53_R4_SA-2 NIST SP 800-53 Rev. 4 SA-2 System And Services Acquisition Allocation Of Resources Shared n/a The organization: a. Determines information security requirements for the information system or information system service in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and c. Establishes a discrete line item for information security in organizational programming and budgeting documentation. Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. Control Enhancements: None. References: NIST Special Publication 800-65. link 6
NIST_SP_800-53_R5 SA-2 NIST_SP_800-53_R5_SA-2 NIST SP 800-53 Rev. 5 SA-2 System and Services Acquisition Allocation of Resources Shared n/a a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. link 6
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 90a156a6-49ed-18d1-1052-69aac27c05cd
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC