last sync: 2024-Oct-03 17:51:34 UTC

Establish policies for supply chain risk management | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Establish policies for supply chain risk management
Id 9150259b-617b-596d-3bf5-5ca3fce20335
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0275 - Establish policies for supply chain risk management
Additional metadata Name/Id: CMA_0275 / CMA_0275
Category: Operational
Title: Establish policies for supply chain risk management
Ownership: Customer
Description: Microsoft recommends that your organization develop, document, maintain, and distribute Supply Chain Risk Management (SCRM) policies and standard operating procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to the appropriate personnel within your organization. Your organization should consider creating and maintaining SCRM policies and standard operating procedures which define the following requirements: - SCRM strategies, selection processes, and plans - Supporting applicable organizational policies and standard operating procedures - Internal and external customer requirements - Integration points for SCRM with the enterprise risk management function - Secure Development Lifecycle (SDLC) processes - Roles and responsibilities for procurement, conducting supply chain risk assessments, collecting supply chain threat intelligence, identifying and implementing risk-based mitigations, and performing monitoring functions - Required approvals from applicable regulatory bodies and internal management before engaging sub-contractors/ outsourcing services. Microsoft also recommends that your organization define requirements to ensure SCRM plans are designed to: - Manage, rather than eliminate risk - Adapt to constantly evolving threats - Be responsive to changes within the organization, programs, and the supporting information systems - Adjust to the rapidly evolving practices of the private sector's global information and communications technology (ICT) supply chain.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 23 compliance controls are associated with this Policy definition 'Establish policies for supply chain risk management' (9150259b-617b-596d-3bf5-5ca3fce20335)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-12 FedRAMP_High_R4_SA-12 FedRAMP High SA-12 System And Services Acquisition Supply Chain Protection Shared n/a The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. Supplemental Guidance: Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR- 4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7. References: NIST Special Publication 800-161; NIST Interagency Report 7622. link 4
hipaa 1450.05i2Organizational.2-05.i hipaa-1450.05i2Organizational.2-05.i 1450.05i2Organizational.2-05.i 14 Third Party Assurance 1450.05i2Organizational.2-05.i 05.02 External Parties Shared n/a The organization obtains satisfactory assurances that reasonable information security exists across its information supply chain by performing an annual review, which includes all partners/third-party providers upon which their information supply chain depends. 10
hipaa 1451.05iCSPOrganizational.2-05.i hipaa-1451.05iCSPOrganizational.2-05.i 1451.05iCSPOrganizational.2-05.i 14 Third Party Assurance 1451.05iCSPOrganizational.2-05.i 05.02 External Parties Shared n/a Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. 21
hipaa 1453.05kCSPOrganizational.2-05.k hipaa-1453.05kCSPOrganizational.2-05.k 1453.05kCSPOrganizational.2-05.k 14 Third Party Assurance 1453.05kCSPOrganizational.2-05.k 05.02 External Parties Shared n/a Supply chain agreements (e.g., SLAs) between cloud service providers and customers (tenants) incorporate at least the following mutually-agreed upon provisions and/or terms: (i) scope of business relationship and services offered, data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations; (ii) information security requirements, points of contact, and references to detailed supporting and relevant business processes and technical measures implemented; (iii) notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts; (iv) timely notification of a security incident to all customers (tenants) and other business relationships impacted; (v) assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed; (vi) expiration of the business relationship and treatment of customer (tenant) data impacted; and, (vii) customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence. 10
hipaa 1454.05kCSPOrganizational.3-05.k hipaa-1454.05kCSPOrganizational.3-05.k 1454.05kCSPOrganizational.3-05.k 14 Third Party Assurance 1454.05kCSPOrganizational.3-05.k 05.02 External Parties Shared n/a Service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream) are reviewed consistently and no less than annually to identify any non-conformance to established agreements. The reviews result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships. 8
ISO27001-2013 A.14.2.7 ISO27001-2013_A.14.2.7 ISO 27001:2013 A.14.2.7 System Acquisition, Development And Maintenance Outsourced development Shared n/a The organization shall supervise and monitor the activity of outsourced system development. link 28
ISO27001-2013 A.15.1.1 ISO27001-2013_A.15.1.1 ISO 27001:2013 A.15.1.1 Supplier Relationships Information security policy for supplier relationships Shared n/a Information security requirements for mitigating the risks associated with supplier's access to the organization's assets shall be agreed with the supplier and documented. link 6
ISO27001-2013 A.15.1.2 ISO27001-2013_A.15.1.2 ISO 27001:2013 A.15.1.2 Supplier Relationships Addressing security within supplier agreement Shared n/a All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. link 24
ISO27001-2013 A.15.1.3 ISO27001-2013_A.15.1.3 ISO 27001:2013 A.15.1.3 Supplier Relationships Information and communication technology supply chain Shared n/a Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. link 4
mp.sw.1 IT Aplications development mp.sw.1 IT Aplications development 404 not found n/a n/a 51
mp.sw.2 Acceptance and commissioning mp.sw.2 Acceptance and commissioning 404 not found n/a n/a 60
NIST_SP_800-53_R4 SA-12 NIST_SP_800-53_R4_SA-12 NIST SP 800-53 Rev. 4 SA-12 System And Services Acquisition Supply Chain Protection Shared n/a The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. Supplemental Guidance: Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR- 4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7. References: NIST Special Publication 800-161; NIST Interagency Report 7622. link 4
op.ext.1 Contracting and service level agreements op.ext.1 Contracting and service level agreements 404 not found n/a n/a 35
op.ext.3 Protection of supply chain op.ext.3 Protection of supply chain 404 not found n/a n/a 2
op.nub.1 Cloud service protection op.nub.1 Cloud service protection 404 not found n/a n/a 33
op.pl.1 Risk analysis op.pl.1 Risk analysis 404 not found n/a n/a 70
op.pl.4 Sizing and capacity management op.pl.4 Sizing and capacity management 404 not found n/a n/a 12
op.pl.5 Certified components op.pl.5 Certified components 404 not found n/a n/a 26
PCI_DSS_v4.0 12.8.3 PCI_DSS_v4.0_12.8.3 PCI DSS v4.0 12.8.3 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. link 5
PCI_DSS_v4.0 12.8.4 PCI_DSS_v4.0_12.8.4 PCI DSS v4.0 12.8.4 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. link 8
SOC_2 CC3.4 SOC_2_CC3.4 SOC 2 Type 2 CC3.4 Risk Assessment COSO Principle 9 Shared The customer is responsible for implementing this recommendation. • Assesses Changes in the External Environment — The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates. • Assesses Changes in the Business Model — The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies. • Assesses Changes in Leadership — The entity considers changes in management and respective attitudes and philosophies on the system of internal control. Page 25 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS Additional point of focus specifically related to all engagements using the trust services criteria: • Assesses Changes in Systems and Technology — The risk identification process considers changes arising from changes in the entity’s systems and changes in the technology environment. • Assesses Changes in Vendor and Business Partner Relationships — The risk identification process considers changes in vendor and business partner relationships 6
SOC_2 CC9.2 SOC_2_CC9.2 SOC 2 Type 2 CC9.2 Risk Mitigation Vendors and business partners risk management Shared The customer is responsible for implementing this recommendation. Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. • Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives. • Assigns Responsibility and Accountability for Managing Vendors and Business Partners — The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. • Establishes Communication Protocols for Vendors and Business Partners — The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners. • Establishes Exception Handling Procedures From Vendors and Business Partners — The entity establishes exception handling procedures for service or product issues related to vendors and business partners. • Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners. • Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships. • Implements Procedures for Terminating Vendor and Business Partner Relationships — The entity implements procedures for terminating vendor and business partner relationships. Additional points of focus that apply only to an engagement using the trust services criteria for confidentiality: • Obtains Confidentiality Commitments from Vendors and Business Partners — The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information. • Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements. Additional points of focus that apply only to an engagement using the trust services criteria for privacy: • Obtains Privacy Commitments from Vendors and Business Partners — The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information. • Assesses Compliance with Privacy Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary 20
SWIFT_CSCF_v2022 2.8.5 SWIFT_CSCF_v2022_2.8.5 SWIFT CSCF v2022 2.8.5 2. Reduce Attack Surface and Vulnerabilities Ensure a consistent and effective approach for the customers’ messaging monitoring. Shared n/a Ensure a consistent and effective approach for the customers’ messaging monitoring. link 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 9150259b-617b-596d-3bf5-5ca3fce20335
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC