last sync: 2024-May-24 18:03:04 UTC

Develop audit and accountability policies and procedures | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Develop audit and accountability policies and procedures
Id a28323fe-276d-3787-32d2-cef6395764c4
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0154 - Develop audit and accountability policies and procedures
Additional metadata Name/Id: CMA_0154 / CMA_0154
Category: Documentation
Title: Develop audit and accountability policies and procedures
Ownership: Customer
Description: Microsoft recommends that your organization develop, document, maintain, and distribute Audit and Accountability policies that addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. We recommend that your organization establish a dedicated internal technology audit function with specialized and relevant technology audit competencies. The internal audit functions may be enlisted to provide advice on compliance with and adequacy of control processes during the planning and development phases of new major products, systems or technology operations. It is recommended that your organization designate a board audit committee responsible for ensuring the effectiveness of the internal technology audit function. It is recommended that your organization document evaluation procedures/guidelines to enable the internal audit team to evaluate the adequacy and efficiency of the controls implemented. Such procedures may include control deficiency, scoring methodology, quantification approach of impact, etc. It is recommended that your organization's internal audit procedure be established, implemented and maintained to ensure: - Compliance with various standard's requirements and any legal, regulatory or contractual obligations - Internal audits are scheduled and performed at least once per year, no later than six months following the external audit - Where practicable, persons carrying out the audit are independent of those responsible for the activity - Results of the audits are recorded, published, and reported to relevant stakeholders to allow those responsible to make corrective or preventive actions - Coordination with the respective teams for relevant actions to close non-compliance and irregularities in controls. Microsoft recommends that your organization review and update the current audit and accountability policies and procedures as per the organization defined frequency. Taiwan- Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries requires your organization to allow a chief auditor to designate internal auditors of a subsidiary company to conduct the internal audit task and to safeguard the appropriateness and effectiveness of the internal audit system in the organization or its subsidiary. Taiwan - Implementation Rules for the Internal Audit and Internal Control System of Electronic Payment Institutions requires your organization to get approval from the chief auditor prior to conducting actions such as employing, dismissing, promoting or reviewing, among other actions, any personnel in the internal audit unit. ARMA International TR 30-2017 requires organizations to perform audits to prove the information governance program is accomplishing its goals and identify areas for improvement to further protect the information assets. The auditing shall determine whether employees can demonstrate program awareness, retention period of the information is adhered to and policies are up to date.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 25 compliance controls are associated with this Policy definition 'Develop audit and accountability policies and procedures' (a28323fe-276d-3787-32d2-cef6395764c4)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AU-1 FedRAMP_High_R4_AU-1 FedRAMP High AU-1 Audit And Accountability Audit And Accountability Policy And Procedures Shared n/a The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. link 4
FedRAMP_Moderate_R4 AU-1 FedRAMP_Moderate_R4_AU-1 FedRAMP Moderate AU-1 Audit And Accountability Audit And Accountability Policy And Procedures Shared n/a The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. link 4
hipaa 0114.04b1Organizational.1-04.b hipaa-0114.04b1Organizational.1-04.b 0114.04b1Organizational.1-04.b 01 Information Protection Program 0114.04b1Organizational.1-04.b 04.01 Information Security Policy Shared n/a The security policies are regularly reviewed and updated to ensure they reflect leading practices (e.g., for systems and services development and acquisition), and are communicated throughout the organization. 9
hipaa 0115.04b2Organizational.123-04.b hipaa-0115.04b2Organizational.123-04.b 0115.04b2Organizational.123-04.b 01 Information Protection Program 0115.04b2Organizational.123-04.b 04.01 Information Security Policy Shared n/a The owner of the security policies has management approval and assigned responsibility to develop, review, update (based on specific input), and approve the security policies; and such reviews, updates, and approvals occur no less than annually. 20
hipaa 12101.09ab1Organizational.3-09.ab hipaa-12101.09ab1Organizational.3-09.ab 12101.09ab1Organizational.3-09.ab 12 Audit Logging & Monitoring 12101.09ab1Organizational.3-09.ab 09.10 Monitoring Shared n/a The organization specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 18
ISO27001-2013 A.12.1.1 ISO27001-2013_A.12.1.1 ISO 27001:2013 A.12.1.1 Operations Security Documented operating procedures Shared n/a Operating procedures shall be documented and made available to all users who need them. link 31
ISO27001-2013 A.18.1.1 ISO27001-2013_A.18.1.1 ISO 27001:2013 A.18.1.1 Compliance Identification applicable legislation and contractual requirements Shared n/a All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. link 30
ISO27001-2013 A.18.2.2 ISO27001-2013_A.18.2.2 ISO 27001:2013 A.18.2.2 Compliance Compliance with security policies and standards Shared n/a Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. link 36
ISO27001-2013 A.5.1.1 ISO27001-2013_A.5.1.1 ISO 27001:2013 A.5.1.1 Information Security Policies Policies for information security Shared n/a A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. link 42
ISO27001-2013 A.5.1.2 ISO27001-2013_A.5.1.2 ISO 27001:2013 A.5.1.2 Information Security Policies Review of the policies for information security Shared n/a The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. link 29
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
ISO27001-2013 C.5.1.b ISO27001-2013_C.5.1.b ISO 27001:2013 C.5.1.b Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: b) ensuring the integration of the information security management system requirements into the organization’s processes. link 28
ISO27001-2013 C.5.2.c ISO27001-2013_C.5.2.c ISO 27001:2013 C.5.2.c Leadership Policy Shared n/a Top management shall establish an information security policy that: c) includes a commitment to satisfy applicable requirements related to information security. link 23
ISO27001-2013 C.5.2.d ISO27001-2013_C.5.2.d ISO 27001:2013 C.5.2.d Leadership Policy Shared n/a Top management shall establish an information security policy that: d) includes a commitment to continual improvement of the information security management system. link 23
ISO27001-2013 C.9.2.e ISO27001-2013_C.9.2.e ISO 27001:2013 C.9.2.e Performance Evaluation Internal audit Shared n/a The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process. link 5
mp.info.1 Personal data mp.info.1 Personal data 404 not found n/a n/a 33
mp.info.6 Backups mp.info.6 Backups 404 not found n/a n/a 65
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
NIST_SP_800-53_R4 AU-1 NIST_SP_800-53_R4_AU-1 NIST SP 800-53 Rev. 4 AU-1 Audit And Accountability Audit And Accountability Policy And Procedures Shared n/a The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. link 4
NIST_SP_800-53_R5 AU-1 NIST_SP_800-53_R5_AU-1 NIST SP 800-53 Rev. 5 AU-1 Audit and Accountability Policy and Procedures Shared n/a a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (OneOrMore): Organization-level;Mission/business process-level;System-level] audit and accountability policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and c. Review and update the current audit and accountability: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. link 4
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
org.2 Security regulations org.2 Security regulations 404 not found n/a n/a 100
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 127
PCI_DSS_v4.0 10.1.1 PCI_DSS_v4.0_10.1.1 PCI DSS v4.0 10.1.1 Requirement 10: Log and Monitor All Access to System Components and Cardholder Data Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented Shared n/a All security policies and operational procedures that are identified in Requirement 10 are: • Documented. • Kept up to date. • In use. • Known to all affected parties. link 4
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add a28323fe-276d-3787-32d2-cef6395764c4
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC