last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Implement a penetration testing methodology

Name Implement a penetration testing methodology
Azure Portal
Id c2eabc28-1e5c-78a2-a712-7cc176c44c07
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0306 - Implement a penetration testing methodology
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 10 compliance controls are associated with this Policy definition 'Implement a penetration testing methodology' (c2eabc28-1e5c-78a2-a712-7cc176c44c07)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PE-13(1) FedRAMP_High_R4_PE-13(1) FedRAMP High PE-13 (1) Physical And Environmental Protection Detection Devices / Systems Shared n/a The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. link 3
hipaa 1814.08d1Organizational.12-08.d hipaa-1814.08d1Organizational.12-08.d 1814.08d1Organizational.12-08.d 18 Physical & Environmental Security 1814.08d1Organizational.12-08.d 08.01 Secure Areas Shared n/a Fire extinguishers and detectors are installed according to applicable laws and regulations. 3
hipaa 1815.08d2Organizational.123-08.d hipaa-1815.08d2Organizational.123-08.d 1815.08d2Organizational.123-08.d 18 Physical & Environmental Security 1815.08d2Organizational.123-08.d 08.01 Secure Areas Shared n/a Fire prevention and suppression mechanisms, including workforce training, are provided. 3
hipaa 1818.08d3Organizational.3-08.d hipaa-1818.08d3Organizational.3-08.d 1818.08d3Organizational.3-08.d 18 Physical & Environmental Security 1818.08d3Organizational.3-08.d 08.01 Secure Areas Shared n/a Fire suppression and detection systems are supported by an independent energy source. 3
hipaa 1862.08d1Organizational.3-08.d hipaa-1862.08d1Organizational.3-08.d 1862.08d1Organizational.3-08.d 18 Physical & Environmental Security 1862.08d1Organizational.3-08.d 08.01 Secure Areas Shared n/a Fire authorities are automatically notified when a fire alarm is activated. 2
hipaa 1862.08d3Organizational.3 hipaa-1862.08d3Organizational.3 1862.08d3Organizational.3 18 Physical & Environmental Security 1862.08d3Organizational.3 08.01 Secure Areas Shared n/a Fire authorities are automatically notified when a fire alarm is activated. 2
NIST_SP_800-53_R4 PE-13(1) NIST_SP_800-53_R4_PE-13(1) NIST SP 800-53 Rev. 4 PE-13 (1) Physical And Environmental Protection Detection Devices / Systems Shared n/a The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. link 3
NIST_SP_800-53_R5 PE-13(1) NIST_SP_800-53_R5_PE-13(1) NIST SP 800-53 Rev. 5 PE-13 (1) Physical and Environmental Protection Detection Systems ??? Automatic Activation and Notification Shared n/a Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. link 3
SOC_2 A1.2 SOC_2_A1.2 SOC 2 Type 2 A1.2 Additional Criteria For Availability Environmental protections, software, data back-up processes, and recovery infrastructure Shared The customer is responsible for implementing this recommendation. Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water. • Designs Detection Measures — Detection measures are implemented to identify anomalies that could result from environmental threat events. • Implements and Maintains Environmental Protection Mechanisms — Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. • Implements Alerts to Analyze Anomalies — Management implements alerts that are communicated to personnel for analysis to identify environmental threat events. • Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator backup subsystem). • Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary. • Determines Data Requiring Backup — Data is evaluated to determine whether backup is required. • Performs Data Backup — Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. • Addresses Offsite Storage — Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. • Implements Alternate Processing Infrastructure — Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. 13
SWIFT_CSCF_v2022 9.3 SWIFT_CSCF_v2022_9.3 SWIFT CSCF v2022 9.3 9. Ensure Availability through Resilience Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. Shared n/a Service bureaux must ensure that the service remains available for their customers in the event of a disturbance, a hazard, or an incident. link 7
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add c2eabc28-1e5c-78a2-a712-7cc176c44c07
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
JSON
changes

JSON