last sync: 2024-Oct-10 19:12:06 UTC

Install an alarm system | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Install an alarm system
Id aa0ddd99-43eb-302d-3f8f-42b499182960
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0338 - Install an alarm system
Additional metadata Name/Id: CMA_0338 / CMA_0338
Category: Operational
Title: Install an alarm system
Ownership: Customer
Description: Microsoft recommends your organization install a centralized, audible alarm system that covers all entry/exit points (including emergency exits), windows, loading docks, fire escapes, and restricted areas (e.g., vault, server/machine room, etc.). Additional, consider: - placing motion detectors in restricted areas (e.g., vault, server/machine room) and configuring them to alert the appropriate security and other personnel (e.g., incident response team, etc.) - installing door prop alarms in restricted areas (e.g. vault, server, machine rooms) to notify when sensitive entry/exit points are open for longer than a pre-determined period of time (e.g., 60 seconds) - configuring alarms to provide escalation notifications directly to the personnel in charge of security and other personnel (e.g., incident response team, etc.) - assigning unique arm and disarm codes to each person that requires access to the alarm system and restricting access to all other personnel - reviewing the list of users who can arm and disarm alarm systems quarterly, or upon change of personnel - testing the alarm system at a defined frequency (e.g., quarterly) The Malaysia Risk Management in Technology (RMiT) requires financial institutions to protect physical and logical security and controls implemented on the Cash SST, including installing alarm system with triggering mechanism connected to a centralized alert system to detect and alert bank's staff of any unauthorized opening or tampering of the physical component of the Cash SST, particularly the access to the Cash SST PC Core.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 30 compliance controls are associated with this Policy definition 'Install an alarm system' (aa0ddd99-43eb-302d-3f8f-42b499182960)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PE-14(2) FedRAMP_High_R4_PE-14(2) FedRAMP High PE-14 (2) Physical And Environmental Protection Monitoring With Alarms / Notifications Shared n/a The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. link 2
FedRAMP_High_R4 PE-6(1) FedRAMP_High_R4_PE-6(1) FedRAMP High PE-6 (1) Physical And Environmental Protection Intrusion Alarms / Surveillance Equipment Shared n/a The organization monitors physical intrusion alarms and surveillance equipment. link 2
FedRAMP_Moderate_R4 PE-14(2) FedRAMP_Moderate_R4_PE-14(2) FedRAMP Moderate PE-14 (2) Physical And Environmental Protection Monitoring With Alarms / Notifications Shared n/a The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. link 2
FedRAMP_Moderate_R4 PE-6(1) FedRAMP_Moderate_R4_PE-6(1) FedRAMP Moderate PE-6 (1) Physical And Environmental Protection Intrusion Alarms / Surveillance Equipment Shared n/a The organization monitors physical intrusion alarms and surveillance equipment. link 2
hipaa 0505.09m2Organizational.3-09.m hipaa-0505.09m2Organizational.3-09.m 0505.09m2Organizational.3-09.m 05 Wireless Security 0505.09m2Organizational.3-09.m 09.06 Network Security Management Shared n/a Quarterly scans are performed to identify unauthorized wireless access points, and appropriate action is taken if any unauthorized access points are discovered. 8
hipaa 1331.02e3Organizational.4-02.e hipaa-1331.02e3Organizational.4-02.e 1331.02e3Organizational.4-02.e 13 Education, Training and Awareness 1331.02e3Organizational.4-02.e 02.03 During Employment Shared n/a The organization trains workforce members on how to properly respond to perimeter security alarms. 6
hipaa 1812.08b3Organizational.46-08.b hipaa-1812.08b3Organizational.46-08.b 1812.08b3Organizational.46-08.b 18 Physical & Environmental Security 1812.08b3Organizational.46-08.b 08.01 Secure Areas Shared n/a Intrusion detection systems (e.g., alarms and surveillance equipment) are installed on all external doors and accessible windows, the systems are monitored, and incidents/alarms are investigated. 3
hipaa 1813.08b3Organizational.56-08.b hipaa-1813.08b3Organizational.56-08.b 1813.08b3Organizational.56-08.b 18 Physical & Environmental Security 1813.08b3Organizational.56-08.b 08.01 Secure Areas Shared n/a The organization actively monitors unoccupied areas at all times and sensitive and/or restricted areas in real time as appropriate for the area. 4
hipaa 18145.08b3Organizational.7-08.b hipaa-18145.08b3Organizational.7-08.b 18145.08b3Organizational.7-08.b 18 Physical & Environmental Security 18145.08b3Organizational.7-08.b 08.01 Secure Areas Shared n/a The organization regularly tests alarms to ensure proper operation. 2
hipaa 18146.08b3Organizational.8-08.b hipaa-18146.08b3Organizational.8-08.b 18146.08b3Organizational.8-08.b 18 Physical & Environmental Security 18146.08b3Organizational.8-08.b 08.01 Secure Areas Shared n/a The organization maintains an electronic log of alarm system events and regularly reviews the logs, no less than monthly. 4
hipaa 1816.08d2Organizational.4-08.d hipaa-1816.08d2Organizational.4-08.d 1816.08d2Organizational.4-08.d 18 Physical & Environmental Security 1816.08d2Organizational.4-08.d 08.01 Secure Areas Shared n/a Any security threats presented by neighboring premises are identified. 4
ISO27001-2013 A.11.1.1 ISO27001-2013_A.11.1.1 ISO 27001:2013 A.11.1.1 Physical And Environmental Security Physical security perimeter Shared n/a Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. link 8
ISO27001-2013 A.11.1.4 ISO27001-2013_A.11.1.4 ISO 27001:2013 A.11.1.4 Physical And Environmental Security Protecting against external and environmental threats Shared n/a Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. link 9
ISO27001-2013 A.11.1.6 ISO27001-2013_A.11.1.6 ISO 27001:2013 A.11.1.6 Physical And Environmental Security Delivering and loading areas Shared n/a Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. link 5
ISO27001-2013 A.12.1.2 ISO27001-2013_A.12.1.2 ISO 27001:2013 A.12.1.2 Operations Security Change management Shared n/a Changes to organization, business processes, information processing facilities and systems that affect information security shall be controlled. link 27
mp.eq.2 User session lockout mp.eq.2 User session lockout 404 not found n/a n/a 29
mp.if.1 Separate areas with access control mp.if.1 Separate areas with access control 404 not found n/a n/a 23
mp.if.2 Identification of persons mp.if.2 Identification of persons 404 not found n/a n/a 13
mp.if.3 Fitting-out of premises mp.if.3 Fitting-out of premises 404 not found n/a n/a 18
mp.if.5 Fire protection mp.if.5 Fire protection 404 not found n/a n/a 16
mp.if.6 Flood protection mp.if.6 Flood protection 404 not found n/a n/a 16
NIST_SP_800-171_R2_3 .10.2 NIST_SP_800-171_R2_3.10.2 NIST SP 800-171 R2 3.10.2 Physical Protection Protect and monitor the physical facility and support infrastructure for organizational systems. Shared Microsoft is responsible for implementing this requirement. Monitoring of physical access includes publicly accessible areas within organizational facilities. This can be accomplished, for example, by the employment of guards; the use of sensor devices; or the use of video surveillance equipment such as cameras. Examples of support infrastructure include system distribution, transmission, and power lines. Security controls applied to the support infrastructure prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Physical access controls to support infrastructure include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors. link 2
NIST_SP_800-53_R4 PE-14(2) NIST_SP_800-53_R4_PE-14(2) NIST SP 800-53 Rev. 4 PE-14 (2) Physical And Environmental Protection Monitoring With Alarms / Notifications Shared n/a The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. link 2
NIST_SP_800-53_R4 PE-6(1) NIST_SP_800-53_R4_PE-6(1) NIST SP 800-53 Rev. 4 PE-6 (1) Physical And Environmental Protection Intrusion Alarms / Surveillance Equipment Shared n/a The organization monitors physical intrusion alarms and surveillance equipment. link 2
NIST_SP_800-53_R5 PE-14(2) NIST_SP_800-53_R5_PE-14(2) NIST SP 800-53 Rev. 5 PE-14 (2) Physical and Environmental Protection Monitoring with Alarms and Notifications Shared n/a Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to [Assignment: organization-defined personnel or roles]. link 2
NIST_SP_800-53_R5 PE-6(1) NIST_SP_800-53_R5_PE-6(1) NIST SP 800-53 Rev. 5 PE-6 (1) Physical and Environmental Protection Intrusion Alarms and Surveillance Equipment Shared n/a Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment. link 2
op.exp.4 Security maintenance and updates op.exp.4 Security maintenance and updates 404 not found n/a n/a 78
op.exp.5 Change management op.exp.5 Change management 404 not found n/a n/a 71
SOC_2 A1.2 SOC_2_A1.2 SOC 2 Type 2 A1.2 Additional Criteria For Availability Environmental protections, software, data back-up processes, and recovery infrastructure Shared The customer is responsible for implementing this recommendation. Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water. • Designs Detection Measures — Detection measures are implemented to identify anomalies that could result from environmental threat events. • Implements and Maintains Environmental Protection Mechanisms — Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. • Implements Alerts to Analyze Anomalies — Management implements alerts that are communicated to personnel for analysis to identify environmental threat events. • Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator backup subsystem). • Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary. • Determines Data Requiring Backup — Data is evaluated to determine whether backup is required. • Performs Data Backup — Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. • Addresses Offsite Storage — Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. • Implements Alternate Processing Infrastructure — Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. 13
SWIFT_CSCF_v2022 3.1 SWIFT_CSCF_v2022_3.1 SWIFT CSCF v2022 3.1 3. Physically Secure the Environment Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. Shared n/a Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage. link 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add aa0ddd99-43eb-302d-3f8f-42b499182960
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC