last sync: 2024-Jun-13 18:14:14 UTC

Obtain approvals for acquisitions and outsourcing | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Obtain approvals for acquisitions and outsourcing
Id 92b94485-1c49-3350-9ada-dffe94f08e87
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1590 - Obtain approvals for acquisitions and outsourcing
Additional metadata Name/Id: CMA_C1590 / CMA_C1590
Category: Documentation
Title: Obtain approvals for acquisitions and outsourcing
Ownership: Customer
Description: The customer is responsible for obtaining approval of acquisitions or outsourcing of dedicated information security services.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 6 compliance controls are associated with this Policy definition 'Obtain approvals for acquisitions and outsourcing' (92b94485-1c49-3350-9ada-dffe94f08e87)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-9(1) FedRAMP_High_R4_SA-9(1) FedRAMP High SA-9 (1) System And Services Acquisition Risk Assessments / Organizational Approvals Shared n/a The organization: (a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. link 2
FedRAMP_Moderate_R4 SA-9(1) FedRAMP_Moderate_R4_SA-9(1) FedRAMP Moderate SA-9 (1) System And Services Acquisition Risk Assessments / Organizational Approvals Shared n/a The organization: (a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. link 2
hipaa 1422.05j2Organizational.3-05.j hipaa-1422.05j2Organizational.3-05.j 1422.05j2Organizational.3-05.j 14 Third Party Assurance 1422.05j2Organizational.3-05.j 05.02 External Parties Shared n/a All security requirements resulting from work with external parties or internal controls are reflected by the agreement with the external party. 6
hipaa 17120.10a3Organizational.5-10.a hipaa-17120.10a3Organizational.5-10.a 17120.10a3Organizational.5-10.a 17 Risk Management 17120.10a3Organizational.5-10.a 10.01 Security Requirements of Information Systems Shared n/a The organization documents all existing outsourced information services and conducts an organizational assessment of risk prior to the acquisition or outsourcing of information services. 10
NIST_SP_800-53_R4 SA-9(1) NIST_SP_800-53_R4_SA-9(1) NIST SP 800-53 Rev. 4 SA-9 (1) System And Services Acquisition Risk Assessments / Organizational Approvals Shared n/a The organization: (a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. link 2
NIST_SP_800-53_R5 SA-9(1) NIST_SP_800-53_R5_SA-9(1) NIST SP 800-53 Rev. 5 SA-9 (1) System and Services Acquisition Risk Assessments and Organizational Approvals Shared n/a (a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and (b) Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 92b94485-1c49-3350-9ada-dffe94f08e87
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC