last sync: 2024-May-24 18:03:04 UTC

Microsoft Managed Control 1609 - Development Process, Standards, And Tools | Regulatory Compliance - System and Services Acquisition

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1609 - Development Process, Standards, And Tools
Id 9e93fa71-42ac-41a7-b177-efbfdc53c69f
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Services Acquisition control
Additional metadata Name/Id: ACF1609 / Microsoft Managed Control 1609
Category: System and Services Acquisition
Title: Development Process, Standards, And Tools - Develops
Ownership: Customer, Microsoft
Description: The organization: Requires the developer of the information system, system component, or information system service to follow a documented development process that: Explicitly addresses security requirements; Identifies the standards and tools used in the development process; Documents the specific tool options and tool configurations used in the development process; and Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
Requirements: All development in Azure must follow the Security Development Lifecycle (SDL) process for all engineering and development projects. The SDL process includes the following: * Addressing security requirements: The Requirements phase of the SDL includes the project inception—when the organization considers security and privacy at a foundational level—and a cost analysis—when determining if development and support costs for improving security and privacy are consistent with business needs. * Identifying standards and tools/documents tools and configurations: The Implementation phase is when the organization creates the documentation and tools the customer uses to make informed decisions about how to deploy the software securely. To this end, the Implementation phase is when the organization establishes development best practices to detect and remove security and privacy issues early in the development cycle. Microsoft understands, observes, and implements the security requirements and considerations as outlined in IT Security Procedural Guide 09-48, Security Language for IT Acquisition Efforts, dated September 2009 for the information system consistent with the Azure offering’s requirements. * Documents, manages, and ensures the integrity of changes: During the Verification phase, the organization ensures that the code meets the security and privacy tenets established in the previous phases. This is done through security and privacy testing, and a security push—which is a team-wide focus on threat model updates, code review, testing, and thorough documentation review and edit. A public release privacy review is also completed during the Verification phase.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC