last sync: 2024-Apr-19 17:43:58 UTC

Train personnel on disclosure of nonpublic information | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Train personnel on disclosure of nonpublic information
Id 97f0d974-1486-01e2-2088-b888f46c0589
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1084 - Train personnel on disclosure of nonpublic information
Additional metadata Name/Id: CMA_C1084 / CMA_C1084
Category: Operational
Title: Train personnel on disclosure of nonpublic information
Ownership: Customer
Description: The customer is responsible for training the personnel defined in AC-21.a to prevent disclosure of nonpublic customer-controlled information.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 8 compliance controls are associated with this Policy definition 'Train personnel on disclosure of nonpublic information' (97f0d974-1486-01e2-2088-b888f46c0589)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AC-22 FedRAMP_High_R4_AC-22 FedRAMP High AC-22 Access Control Publicly Accessible Content Shared n/a The organization: a. Designates individuals authorized to post information onto a publicly accessible information system; b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. Supplemental Guidance: In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. Control Enhancements: None. References: None. link 4
FedRAMP_Moderate_R4 AC-22 FedRAMP_Moderate_R4_AC-22 FedRAMP Moderate AC-22 Access Control Publicly Accessible Content Shared n/a The organization: a. Designates individuals authorized to post information onto a publicly accessible information system; b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. Supplemental Guidance: In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. Control Enhancements: None. References: None. link 4
hipaa 1304.02e3Organizational.1-02.e hipaa-1304.02e3Organizational.1-02.e 1304.02e3Organizational.1-02.e 13 Education, Training and Awareness 1304.02e3Organizational.1-02.e 02.03 During Employment Shared n/a Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities: (i) prior to being granted access to the organization’s systems and resources; (ii) when required by system changes; (iii) when entering into a new position that requires additional training; and, (iv) no less than annually thereafter. 9
hipaa 19134.05j1Organizational.5-05.j hipaa-19134.05j1Organizational.5-05.j 19134.05j1Organizational.5-05.j 19 Data Protection & Privacy 19134.05j1Organizational.5-05.j 05.02 External Parties Shared n/a The public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official. 12
ISO27001-2013 A.7.2.2 ISO27001-2013_A.7.2.2 ISO 27001:2013 A.7.2.2 Human Resources Security Information security awareness, education and training Shared n/a All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. link 15
NIST_SP_800-171_R2_3 .1.22 NIST_SP_800-171_R2_3.1.22 NIST SP 800-171 R2 3.1.22 Access Control Control CUI posted or processed on publicly accessible systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included. link 4
NIST_SP_800-53_R4 AC-22 NIST_SP_800-53_R4_AC-22 NIST SP 800-53 Rev. 4 AC-22 Access Control Publicly Accessible Content Shared n/a The organization: a. Designates individuals authorized to post information onto a publicly accessible information system; b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. Supplemental Guidance: In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. Control Enhancements: None. References: None. link 4
NIST_SP_800-53_R5 AC-22 NIST_SP_800-53_R5_AC-22 NIST SP 800-53 Rev. 5 AC-22 Access Control Publicly Accessible Content Shared n/a a. Designate individuals authorized to make information publicly accessible; b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and d. Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered. link 4
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 97f0d974-1486-01e2-2088-b888f46c0589
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC