last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Review and update incident response policies and procedures

Name Review and update incident response policies and procedures
Azure Portal
Id b28c8687-4bbd-8614-0b96-cdffa1ac6d9c
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_C1352 - Review and update incident response policies and procedures
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 20 compliance controls are associated with this Policy definition 'Review and update incident response policies and procedures' (b28c8687-4bbd-8614-0b96-cdffa1ac6d9c)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 IR-1 FedRAMP_High_R4_IR-1 FedRAMP High IR-1 Incident Response Incident Response Policy And Procedures Shared n/a The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and b. Reviews and updates the current: 1. Incident response policy [Assignment: organization-defined frequency]; and 2. Incident response procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-61, 800-83, 800-100. link 1
FedRAMP_Moderate_R4 IR-1 FedRAMP_Moderate_R4_IR-1 FedRAMP Moderate IR-1 Incident Response Incident Response Policy And Procedures Shared n/a The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and b. Reviews and updates the current: 1. Incident response policy [Assignment: organization-defined frequency]; and 2. Incident response procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-61, 800-83, 800-100. link 1
hipaa 0115.04b2Organizational.123-04.b hipaa-0115.04b2Organizational.123-04.b 0115.04b2Organizational.123-04.b 01 Information Protection Program 0115.04b2Organizational.123-04.b 04.01 Information Security Policy Shared n/a The owner of the security policies has management approval and assigned responsibility to develop, review, update (based on specific input), and approve the security policies; and such reviews, updates, and approvals occur no less than annually. 20
hipaa 1518.11c2Organizational.13-11.c hipaa-1518.11c2Organizational.13-11.c 1518.11c2Organizational.13-11.c 15 Incident Management 1518.11c2Organizational.13-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a The organization formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and compliance requirements for its incident management program. 1
hipaa 1561.11d2Organizational.14-11.d hipaa-1561.11d2Organizational.14-11.d 1561.11d2Organizational.14-11.d 15 Incident Management 1561.11d2Organizational.14-11.d 11.02 Management of Information Security Incidents and Improvements Shared n/a The organization has implemented an incident handling capability for security incidents that addresses: (i) policy (setting corporate direction) and procedures defining roles and responsibilities; (ii) incident handling procedures (business and technical); (iii) communication; (iv) reporting and retention; and, (v) references to a vulnerability management program. 6
ISO27001-2013 A.12.1.1 ISO27001-2013_A.12.1.1 ISO 27001:2013 A.12.1.1 Operations Security Documented operating procedures Shared n/a Operating procedures shall be documented and made available to all users who need them. link 31
ISO27001-2013 A.16.1.1 ISO27001-2013_A.16.1.1 ISO 27001:2013 A.16.1.1 Information Security Incident Management Responsibilities and procedures Shared n/a Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. link 7
ISO27001-2013 A.18.1.1 ISO27001-2013_A.18.1.1 ISO 27001:2013 A.18.1.1 Compliance Identification applicable legislation and contractual requirements Shared n/a All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. link 30
ISO27001-2013 A.18.2.2 ISO27001-2013_A.18.2.2 ISO 27001:2013 A.18.2.2 Compliance Compliance with security policies and standards Shared n/a Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. link 36
ISO27001-2013 A.5.1.1 ISO27001-2013_A.5.1.1 ISO 27001:2013 A.5.1.1 Information Security Policies Policies for information security Shared n/a A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. link 42
ISO27001-2013 A.5.1.2 ISO27001-2013_A.5.1.2 ISO 27001:2013 A.5.1.2 Information Security Policies Review of the policies for information security Shared n/a The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. link 29
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
ISO27001-2013 C.5.1.b ISO27001-2013_C.5.1.b ISO 27001:2013 C.5.1.b Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: b) ensuring the integration of the information security management system requirements into the organization’s processes. link 28
ISO27001-2013 C.5.2.c ISO27001-2013_C.5.2.c ISO 27001:2013 C.5.2.c Leadership Policy Shared n/a Top management shall establish an information security policy that: c) includes a commitment to satisfy applicable requirements related to information security. link 23
ISO27001-2013 C.5.2.d ISO27001-2013_C.5.2.d ISO 27001:2013 C.5.2.d Leadership Policy Shared n/a Top management shall establish an information security policy that: d) includes a commitment to continual improvement of the information security management system. link 23
NIST_SP_800-53_R4 IR-1 NIST_SP_800-53_R4_IR-1 NIST SP 800-53 Rev. 4 IR-1 Incident Response Incident Response Policy And Procedures Shared n/a The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and b. Reviews and updates the current: 1. Incident response policy [Assignment: organization-defined frequency]; and 2. Incident response procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-61, 800-83, 800-100. link 1
NIST_SP_800-53_R5 IR-1 NIST_SP_800-53_R5_IR-1 NIST SP 800-53 Rev. 5 IR-1 Incident Response Policy and Procedures Shared n/a a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (OneOrMore): Organization-level;Mission/business process-level;System-level] incident response policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and c. Review and update the current incident response: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. link 1
SOC_2 CC7.3 SOC_2_CC7.3 SOC 2 Type 2 CC7.3 System Operations Security incidents detection Shared The customer is responsible for implementing this recommendation. Responds to Security Incidents — Procedures are in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a periodic basis. • Communicates and Reviews Detected Security Events — Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. • Develops and Implements Procedures to Analyze Security Incidents — Procedures are in place to analyze security incidents and determine system impact Additional points of focus that apply only in an engagement using the trust services criteria for privacy: • Assesses the Impact on Personal Information — Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations. • Determines Personal Information Used or Disclosed — When an unauthorized use or disclosure of personal information has occurred, the affected information is identified 1
SWIFT_CSCF_v2022 11.2 SWIFT_CSCF_v2022_11.2 SWIFT CSCF v2022 11.2 11. Monitor in case of Major Disaster Ensure a consistent and effective approach for the management of incidents (Problem Management). Shared n/a Ensure a consistent and effective approach for the management of incidents (Problem Management). link 20
SWIFT_CSCF_v2022 7.1 SWIFT_CSCF_v2022_7.1 SWIFT CSCF v2022 7.1 7. Plan for Incident Response and Information Sharing Ensure a consistent and effective approach for the management of cyber incidents. Shared n/a The user has a defined and tested cyber-incident response plan. link 8
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add b28c8687-4bbd-8614-0b96-cdffa1ac6d9c
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON
changes

JSON