last sync: 2024-Apr-19 17:43:58 UTC

Provide security awareness training for insider threats | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Provide security awareness training for insider threats
Id 9b8b05ec-3d21-215e-5d98-0f7cf0998202
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0417 - Provide security awareness training for insider threats
Additional metadata Name/Id: CMA_0417 / CMA_0417
Category: Operational
Title: Provide security awareness training for insider threats
Ownership: Customer
Description: Microsoft recommends that your organization provide security awareness training to users that includes information about recognizing and reporting potential indicators of insider threat. Your organization may consider creating and maintaining Security Awareness Training policies and standard operating procedures that include instructions for how to recognize and report indicators of potential insider threat.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 16 compliance controls are associated with this Policy definition 'Provide security awareness training for insider threats' (9b8b05ec-3d21-215e-5d98-0f7cf0998202)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AT-2(2) FedRAMP_High_R4_AT-2(2) FedRAMP High AT-2 (2) Awareness And Training Insider Threat Shared n/a The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. Supplemental Guidance: Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Related controls: PL-4, PM-12, PS-3, PS-6. References: C.F.R. Part 5 Subpart C (5 C.F.R 930.301); Executive Order 13587; NIST Special Publication 800-50. link 1
FedRAMP_Moderate_R4 AT-2(2) FedRAMP_Moderate_R4_AT-2(2) FedRAMP Moderate AT-2 (2) Awareness And Training Insider Threat Shared n/a The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. Supplemental Guidance: Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Related controls: PL-4, PM-12, PS-3, PS-6. References: C.F.R. Part 5 Subpart C (5 C.F.R 930.301); Executive Order 13587; NIST Special Publication 800-50. link 1
hipaa 0109.02d1Organizational.4-02.d hipaa-0109.02d1Organizational.4-02.d 0109.02d1Organizational.4-02.d 01 Information Protection Program 0109.02d1Organizational.4-02.d 02.03 During Employment Shared n/a Management ensures users are (i) briefed on their security role(s)/responsibilities, conform with the terms and conditions of employment prior to obtaining access to the organization’s information systems; (ii) provided with guidelines regarding the security expectations of their roles; (iii) motivated to comply with security policies; and, (iv) continue to have the appropriate skills and qualifications for their role(s). 20
hipaa 0111.02d2Organizational.2-02.d hipaa-0111.02d2Organizational.2-02.d 0111.02d2Organizational.2-02.d 01 Information Protection Program 0111.02d2Organizational.2-02.d 02.03 During Employment Shared n/a Non-employees are provided the organization's data privacy and security policy requirements prior to accessing system resources and data. 9
hipaa 1109.01b1System.479-01.b hipaa-1109.01b1System.479-01.b 1109.01b1System.479-01.b 11 Access Control 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems Shared n/a User registration and deregistration, at a minimum: (i) communicates relevant policies to users and require acknowledgement (e.g., signed or captured electronically); (ii) checks authorization and minimum level of access necessary prior to granting access; (iii) ensures access is appropriate to the business needs (consistent with sensitivity/risk and does not violate segregation of duties requirements); (iv) addresses termination and transfer; (v) ensures default accounts are removed and/or renamed; (vi) removes or blocks critical access rights of users who have changed roles or jobs; and, (vii) automatically removes or disables inactive accounts. 24
hipaa 1301.02e1Organizational.12-02.e hipaa-1301.02e1Organizational.12-02.e 1301.02e1Organizational.12-02.e 13 Education, Training and Awareness 1301.02e1Organizational.12-02.e 02.03 During Employment Shared n/a Employees and contractors receive documented initial (as part of their onboarding within 60 days of hire), annual, and ongoing training on their roles related to security and privacy. 17
hipaa 1302.02e2Organizational.134-02.e hipaa-1302.02e2Organizational.134-02.e 1302.02e2Organizational.134-02.e 13 Education, Training and Awareness 1302.02e2Organizational.134-02.e 02.03 During Employment Shared n/a Dedicated security and privacy awareness training is developed as part of the organization's onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat. 19
hipaa 1310.01y1Organizational.9-01.y hipaa-1310.01y1Organizational.9-01.y 1310.01y1Organizational.9-01.y 13 Education, Training and Awareness 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking Shared n/a Personnel who telework are trained on the risks, the controls implemented, and their responsibilities. 10
hipaa 1327.02e2Organizational.8-02.e hipaa-1327.02e2Organizational.8-02.e 1327.02e2Organizational.8-02.e 13 Education, Training and Awareness 1327.02e2Organizational.8-02.e 02.03 During Employment Shared n/a The organization trains its workforce to ensure covered information is stored in organization-specified locations. 5
hipaa 1336.02e1Organizational.5-02.e hipaa-1336.02e1Organizational.5-02.e 1336.02e1Organizational.5-02.e 13 Education, Training and Awareness 1336.02e1Organizational.5-02.e 02.03 During Employment Shared n/a The organization’s security awareness and training program (i) identifies how workforce members are provided security awareness and training, and the workforce members who will receive security awareness and training; (ii) describes the types of security awareness and training that is reasonable and appropriate for its workforce members; (iii) how workforce members are provided security and awareness training when there is a change in the organization’s information systems; and, (iv) how frequently security awareness and training is provided to all workforce members. 7
hipaa 1507.11a1Organizational.4-11.a hipaa-1507.11a1Organizational.4-11.a 1507.11a1Organizational.4-11.a 15 Incident Management 1507.11a1Organizational.4-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a The organization has implemented an insider threat program that includes a cross-discipline insider threat incident handling team. 3
hipaa 1525.11a1Organizational.6-11.a hipaa-1525.11a1Organizational.6-11.a 1525.11a1Organizational.6-11.a 15 Incident Management 1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a The organization takes disciplinary action against workforce members that fail to cooperate with federal and state investigations. 6
NIST_SP_800-171_R2_3 .2.3 NIST_SP_800-171_R2_3.2.3 NIST SP 800-171 R2 3.2.3 Awareness and Training Provide security awareness training on recognizing and reporting potential indicators of insider threat. Shared Microsoft and the customer share responsibilities for implementing this requirement. Potential indicators and possible precursors of insider threat include behaviors such as: inordinate, long-term job dissatisfaction; attempts to gain access to information that is not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of the policies, procedures, directives, rules, or practices of organizations. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role (e.g., training for managers may be focused on specific changes in behavior of team members, while training for employees may be focused on more general observations). link 2
NIST_SP_800-53_R4 AT-2(2) NIST_SP_800-53_R4_AT-2(2) NIST SP 800-53 Rev. 4 AT-2 (2) Awareness And Training Insider Threat Shared n/a The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. Supplemental Guidance: Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Related controls: PL-4, PM-12, PS-3, PS-6. References: C.F.R. Part 5 Subpart C (5 C.F.R 930.301); Executive Order 13587; NIST Special Publication 800-50. link 1
NIST_SP_800-53_R5 AT-2(2) NIST_SP_800-53_R5_AT-2(2) NIST SP 800-53 Rev. 5 AT-2 (2) Awareness and Training Insider Threat Shared n/a Provide literacy training on recognizing and reporting potential indicators of insider threat. link 1
SWIFT_CSCF_v2022 7.2 SWIFT_CSCF_v2022_7.2 SWIFT CSCF v2022 7.2 7. Plan for Incident Response and Information Sharing Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. Shared n/a Annual security awareness sessions are conducted for all staff members with access to SWIFT-related systems. All staff with privileged access maintain knowledge through specific training or learning activities when relevant or appropriate (at management’s discretion). link 11
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 9b8b05ec-3d21-215e-5d98-0f7cf0998202
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC