last sync: 2024-Oct-11 17:51:27 UTC

Establish an alternate processing site | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Establish an alternate processing site
Id af5ff768-a34b-720e-1224-e6b3214f3ba6
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0262 - Establish an alternate processing site
Additional metadata Name/Id: CMA_0262 / CMA_0262
Category: Operational
Title: Establish an alternate processing site
Ownership: Customer
Description: Microsoft recommends that your organization establish an alternate processing site including necessary agreements to permit the transfer and resumption of operations for essential missions/business functions within a time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable. Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. In addition, your organization is recommended to: - Identify potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions - Prepare the alternate site so that the site is ready to be used as the operational site supporting essential missions and business functions - Develop alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives) - Ensure that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption - Ensure that the alternate processing site provides information security safeguards equivalent to that of the primary site.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 35 compliance controls are associated with this Policy definition 'Establish an alternate processing site' (af5ff768-a34b-720e-1224-e6b3214f3ba6)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CP-7 FedRAMP_High_R4_CP-7 FedRAMP High CP-7 Contingency Planning Alternate Processing Site Shared n/a The organization: a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. Supplemental Guidance: Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. References: NIST Special Publication 800-34. link 2
FedRAMP_High_R4 CP-7(1) FedRAMP_High_R4_CP-7(1) FedRAMP High CP-7 (1) Contingency Planning Separation From Primary Site Shared n/a The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. Supplemental Guidance: Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. link 1
FedRAMP_High_R4 CP-7(2) FedRAMP_High_R4_CP-7(2) FedRAMP High CP-7 (2) Contingency Planning Accessibility Shared n/a The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. Supplemental Guidance: Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Related control: RA-3. link 1
FedRAMP_High_R4 CP-7(3) FedRAMP_High_R4_CP-7(3) FedRAMP High CP-7 (3) Contingency Planning Priority Of Service Shared n/a The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). Supplemental Guidance: Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site. link 2
FedRAMP_Moderate_R4 CP-7 FedRAMP_Moderate_R4_CP-7 FedRAMP Moderate CP-7 Contingency Planning Alternate Processing Site Shared n/a The organization: a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. Supplemental Guidance: Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. References: NIST Special Publication 800-34. link 2
FedRAMP_Moderate_R4 CP-7(1) FedRAMP_Moderate_R4_CP-7(1) FedRAMP Moderate CP-7 (1) Contingency Planning Separation From Primary Site Shared n/a The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. Supplemental Guidance: Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. link 1
FedRAMP_Moderate_R4 CP-7(2) FedRAMP_Moderate_R4_CP-7(2) FedRAMP Moderate CP-7 (2) Contingency Planning Accessibility Shared n/a The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. Supplemental Guidance: Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Related control: RA-3. link 1
FedRAMP_Moderate_R4 CP-7(3) FedRAMP_Moderate_R4_CP-7(3) FedRAMP Moderate CP-7 (3) Contingency Planning Priority Of Service Shared n/a The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). Supplemental Guidance: Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site. link 2
hipaa 0824.09m3Organizational.1-09.m hipaa-0824.09m3Organizational.1-09.m 0824.09m3Organizational.1-09.m 08 Network Protection 0824.09m3Organizational.1-09.m 09.06 Network Security Management Shared n/a The impact of the loss of network service to the business is defined. 10
hipaa 0860.09m1Organizational.9-09.m hipaa-0860.09m1Organizational.9-09.m 0860.09m1Organizational.9-09.m 08 Network Protection 0860.09m1Organizational.9-09.m 09.06 Network Security Management Shared n/a The organization formally manages equipment on the network, including equipment in user areas. 5
hipaa 1464.09e2Organizational.5-09.e hipaa-1464.09e2Organizational.5-09.e 1464.09e2Organizational.5-09.e 14 Third Party Assurance 1464.09e2Organizational.5-09.e 09.02 Control Third Party Service Delivery Shared n/a The organization restricts the location of facilities that process, transmit or store covered information (e.g., to those located in the United States), as needed, based on its legal, regulatory, contractual and other security and privacy-related obligations. 5
hipaa 1604.12c2Organizational.16789-12.c hipaa-1604.12c2Organizational.16789-12.c 1604.12c2Organizational.16789-12.c 16 Business Continuity & Disaster Recovery 1604.12c2Organizational.16789-12.c 12.01 Information Security Aspects of Business Continuity Management Shared n/a Alternative storage and processing sites are identified (permanent and/or temporary) at a sufficient distance from the primary facility and configured with security measures equivalent to the primary site, and the necessary third-party service agreements have been established to allow for the resumption of information systems operations of critical business functions within the time period defined (e.g., priority of service provisions) based on a risk assessment, including Recovery Time Objectives (RTO), in accordance with the organization's availability requirements. 6
hipaa 1668.12d1Organizational.67-12.d hipaa-1668.12d1Organizational.67-12.d 1668.12d1Organizational.67-12.d 16 Business Continuity & Disaster Recovery 1668.12d1Organizational.67-12.d 12.01 Information Security Aspects of Business Continuity Management Shared n/a Emergency procedures, manual "fallback" procedures, and resumption plans are the responsibility of the owner of the business resources or processes involved; and fallback arrangements for alternative technical services, such as information processing and communications facilities, are the responsibility of the service providers. 4
ISO27001-2013 A.11.1.4 ISO27001-2013_A.11.1.4 ISO 27001:2013 A.11.1.4 Physical And Environmental Security Protecting against external and environmental threats Shared n/a Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. link 9
ISO27001-2013 A.12.3.1 ISO27001-2013_A.12.3.1 ISO 27001:2013 A.12.3.1 Operations Security Information backup Shared n/a Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. link 13
ISO27001-2013 A.17.1.2 ISO27001-2013_A.17.1.2 ISO 27001:2013 A.17.1.2 Information Security Aspects Of Business Continuity Management Implementing information security continuity Shared n/a The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. link 18
ISO27001-2013 A.17.2.1 ISO27001-2013_A.17.2.1 ISO 27001:2013 A.17.2.1 Information Security Aspects Of Business Continuity Management Availability of information processing facilities Shared n/a Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. link 17
mp.eq.3 Protection of portable devices mp.eq.3 Protection of portable devices 404 not found n/a n/a 71
mp.eq.4 Other devices connected to the network mp.eq.4 Other devices connected to the network 404 not found n/a n/a 35
mp.if.1 Separate areas with access control mp.if.1 Separate areas with access control 404 not found n/a n/a 23
mp.if.3 Fitting-out of premises mp.if.3 Fitting-out of premises 404 not found n/a n/a 18
mp.if.5 Fire protection mp.if.5 Fire protection 404 not found n/a n/a 16
mp.if.6 Flood protection mp.if.6 Flood protection 404 not found n/a n/a 16
mp.info.6 Backups mp.info.6 Backups 404 not found n/a n/a 65
mp.si.2 Cryptography mp.si.2 Cryptography 404 not found n/a n/a 32
NIST_SP_800-53_R4 CP-7 NIST_SP_800-53_R4_CP-7 NIST SP 800-53 Rev. 4 CP-7 Contingency Planning Alternate Processing Site Shared n/a The organization: a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site. Supplemental Guidance: Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions/business functions despite disruption, compromise, or failure in organizational information systems. Related controls: CP-2, CP-6, CP-8, CP-9, CP-10, MA-6. References: NIST Special Publication 800-34. link 2
NIST_SP_800-53_R4 CP-7(1) NIST_SP_800-53_R4_CP-7(1) NIST SP 800-53 Rev. 4 CP-7 (1) Contingency Planning Separation From Primary Site Shared n/a The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats. Supplemental Guidance: Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant. Related control: RA-3. link 1
NIST_SP_800-53_R4 CP-7(2) NIST_SP_800-53_R4_CP-7(2) NIST SP 800-53 Rev. 4 CP-7 (2) Contingency Planning Accessibility Shared n/a The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. Supplemental Guidance: Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Related control: RA-3. link 1
NIST_SP_800-53_R4 CP-7(3) NIST_SP_800-53_R4_CP-7(3) NIST SP 800-53 Rev. 4 CP-7 (3) Contingency Planning Priority Of Service Shared n/a The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives). Supplemental Guidance: Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site. link 2
NIST_SP_800-53_R5 CP-7 NIST_SP_800-53_R5_CP-7 NIST SP 800-53 Rev. 5 CP-7 Contingency Planning Alternate Processing Site Shared n/a a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable; b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and c. Provide controls at the alternate processing site that are equivalent to those at the primary site. link 2
NIST_SP_800-53_R5 CP-7(1) NIST_SP_800-53_R5_CP-7(1) NIST SP 800-53 Rev. 5 CP-7 (1) Contingency Planning Separation from Primary Site Shared n/a Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. link 1
NIST_SP_800-53_R5 CP-7(2) NIST_SP_800-53_R5_CP-7(2) NIST SP 800-53 Rev. 5 CP-7 (2) Contingency Planning Accessibility Shared n/a Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. link 1
NIST_SP_800-53_R5 CP-7(3) NIST_SP_800-53_R5_CP-7(3) NIST SP 800-53 Rev. 5 CP-7 (3) Contingency Planning Priority of Service Shared n/a Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). link 2
SOC_2 A1.2 SOC_2_A1.2 SOC 2 Type 2 A1.2 Additional Criteria For Availability Environmental protections, software, data back-up processes, and recovery infrastructure Shared The customer is responsible for implementing this recommendation. Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water. • Designs Detection Measures — Detection measures are implemented to identify anomalies that could result from environmental threat events. • Implements and Maintains Environmental Protection Mechanisms — Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. • Implements Alerts to Analyze Anomalies — Management implements alerts that are communicated to personnel for analysis to identify environmental threat events. • Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator backup subsystem). • Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary. • Determines Data Requiring Backup — Data is evaluated to determine whether backup is required. • Performs Data Backup — Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. • Addresses Offsite Storage — Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. • Implements Alternate Processing Infrastructure — Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. 13
SWIFT_CSCF_v2022 9.2 SWIFT_CSCF_v2022_9.2 SWIFT CSCF v2022 9.2 9. Ensure Availability through Resilience Providers must ensure that the service remains available for customers in the event of a site disaster. Shared n/a Providers must ensure that the service remains available for customers in the event of a site disaster. link 13
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add af5ff768-a34b-720e-1224-e6b3214f3ba6
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC