last sync: 2024-Oct-03 17:51:34 UTC

Assess Security Controls | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Assess Security Controls
Id c423e64d-995c-9f67-0403-b540f65ba42a
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1145 - Assess Security Controls
Additional metadata Name/Id: CMA_C1145 / CMA_C1145
Category: Documentation
Title: Assess Security Controls
Ownership: Customer
Description: The customer is responsible for assessing the security controls defined in CA-02.a on customer-deployed resources.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 34 compliance controls are associated with this Policy definition 'Assess Security Controls' (c423e64d-995c-9f67-0403-b540f65ba42a)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CA-2 FedRAMP_High_R4_CA-2 FedRAMP High CA-2 Security Assessment And Authorization Security Assessments Shared n/a The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. Supplemental Guidance: Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. References: Executive Order 13587; FIPS Publication 199; NIST Special Publications 800-37, 800-39, 800-53A, 800-115, 800-137. link 4
FedRAMP_Moderate_R4 CA-2 FedRAMP_Moderate_R4_CA-2 FedRAMP Moderate CA-2 Security Assessment And Authorization Security Assessments Shared n/a The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. Supplemental Guidance: Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. References: Executive Order 13587; FIPS Publication 199; NIST Special Publications 800-37, 800-39, 800-53A, 800-115, 800-137. link 4
hipaa 0125.05a3Organizational.2-05.a hipaa-0125.05a3Organizational.2-05.a 0125.05a3Organizational.2-05.a 01 Information Protection Program 0125.05a3Organizational.2-05.a 05.01 Internal Organization Shared n/a Annual risk assessments are performed by an independent organization. 8
hipaa 0177.05h1Organizational.12-05.h hipaa-0177.05h1Organizational.12-05.h 0177.05h1Organizational.12-05.h 01 Information Protection Program 0177.05h1Organizational.12-05.h 05.01 Internal Organization Shared n/a An independent review of the organization's information security management program is initiated by management to ensure the continuing suitability, adequacy, and effectiveness of the organization's approach to managing information security. 5
hipaa 0178.05h1Organizational.3-05.h hipaa-0178.05h1Organizational.3-05.h 0178.05h1Organizational.3-05.h 01 Information Protection Program 0178.05h1Organizational.3-05.h 05.01 Internal Organization Shared n/a The results of independent security program reviews are recorded and reported to the management official/office initiating the review; and the results are maintained for a predetermined period of time as determined by the organization, but not less than three years. 3
hipaa 0180.05h2Organizational.1-05.h hipaa-0180.05h2Organizational.1-05.h 0180.05h2Organizational.1-05.h 01 Information Protection Program 0180.05h2Organizational.1-05.h 05.01 Internal Organization Shared n/a An independent review of the information security management program and information security controls is conducted at least annually or whenever there is a material change to the business practices that may implicate the security or integrity of records containing personal information. 1
hipaa 0601.06g1Organizational.124-06.g hipaa-0601.06g1Organizational.124-06.g 0601.06g1Organizational.124-06.g 06 Configuration Management 0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a Annual compliance reviews are conducted by security or audit individuals using manual or automated tools; if non-compliance is found, appropriate action is taken. 6
hipaa 0614.06h2Organizational.12-06.h hipaa-0614.06h2Organizational.12-06.h 0614.06h2Organizational.12-06.h 06 Configuration Management 0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a Technical compliance checks are performed by an experienced specialist with the assistance of industry standard automated tools, which generate a technical report for subsequent interpretation. These checks are performed annually, but more frequently where needed, based on risk as part of an official risk assessment process. 6
hipaa 068.06g2Organizational.34-06.g hipaa-068.06g2Organizational.34-06.g 068.06g2Organizational.34-06.g 06 Configuration Management 068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a The organization employs assessors or assessment teams with a level of independence appropriate to its continuous monitoring strategy to monitor the security controls in the information system on an ongoing basis. 6
hipaa 0709.10m1Organizational.1-10.m hipaa-0709.10m1Organizational.1-10.m 0709.10m1Organizational.1-10.m 07 Vulnerability Management 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management Shared n/a Technical vulnerabilities are identified, evaluated for risk, and corrected in a timely manner. 11
hipaa 0716.10m3Organizational.1-10.m hipaa-0716.10m3Organizational.1-10.m 0716.10m3Organizational.1-10.m 07 Vulnerability Management 0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management Shared n/a The organization conducts an enterprise security posture review as needed but no less than once within every 365 days, in accordance with organizational information security procedures. 5
hipaa 0914.09s1Organizational.6-09.s hipaa-0914.09s1Organizational.6-09.s 0914.09s1Organizational.6-09.s 09 Transmission Protection 0914.09s1Organizational.6-09.s 09.08 Exchange of Information Shared n/a The organization ensures that communication protection requirements, including the security of exchanges of information, are the subject of policy development and compliance audits. 6
hipaa 1796.10a2Organizational.15-10.a hipaa-1796.10a2Organizational.15-10.a 1796.10a2Organizational.15-10.a 17 Risk Management 1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems Shared n/a Commercial products other than operating system software used to store and/or process covered information undergo a security assessment and/or security certification by a qualified assessor prior to implementation. 6
ISO27001-2013 A.14.2.8 ISO27001-2013_A.14.2.8 ISO 27001:2013 A.14.2.8 System Acquisition, Development And Maintenance System security testing Shared n/a Testing of security functionality shall be carried out during development. link 8
ISO27001-2013 A.18.2.2 ISO27001-2013_A.18.2.2 ISO 27001:2013 A.18.2.2 Compliance Compliance with security policies and standards Shared n/a Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. link 36
ISO27001-2013 A.18.2.3 ISO27001-2013_A.18.2.3 ISO 27001:2013 A.18.2.3 Compliance Technical compliance review Shared n/a Information systems shall be regularly reviewed for compliance with the organization's information security policies and standards. link 5
ISO27001-2013 C.9.2.c ISO27001-2013_C.9.2.c ISO 27001:2013 C.9.2.c Performance Evaluation Internal audit Shared n/a The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: The organization shall: c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits. link 2
ISO27001-2013 C.9.3.a ISO27001-2013_C.9.3.a ISO 27001:2013 C.9.3.a Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: a) the status of actions from previous management reviews; The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 5
ISO27001-2013 C.9.3.b ISO27001-2013_C.9.3.b ISO 27001:2013 C.9.3.b Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: b) changes in external and internal issues that are relevant to the information security management system. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 4
ISO27001-2013 C.9.3.c.1 ISO27001-2013_C.9.3.c.1 ISO 27001:2013 C.9.3.c.1 Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: c) feedback on the information security performance, including trends in: - 1) nonconformities and corrective actions. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 6
ISO27001-2013 C.9.3.c.2 ISO27001-2013_C.9.3.c.2 ISO 27001:2013 C.9.3.c.2 Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: c) feedback on the information security performance, including trends in: - 2) monitoring and measurement results. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 4
ISO27001-2013 C.9.3.c.3 ISO27001-2013_C.9.3.c.3 ISO 27001:2013 C.9.3.c.3 Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: c) feedback on the information security performance, including trends in: - 3) audit results. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 4
ISO27001-2013 C.9.3.c.4 ISO27001-2013_C.9.3.c.4 ISO 27001:2013 C.9.3.c.4 Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: c) feedback on the information security performance, including trends in: - 4) fulfilment of information security objectives; The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 4
ISO27001-2013 C.9.3.d ISO27001-2013_C.9.3.d ISO 27001:2013 C.9.3.d Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: d) feedback from interested parties; The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 3
ISO27001-2013 C.9.3.e ISO27001-2013_C.9.3.e ISO 27001:2013 C.9.3.e Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: e) results of risk assessment and status of risk treatment plan; and The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 3
ISO27001-2013 C.9.3.f ISO27001-2013_C.9.3.f ISO 27001:2013 C.9.3.f Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: f) opportunities for continual improvement. The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 3
mp.sw.2 Acceptance and commissioning mp.sw.2 Acceptance and commissioning 404 not found n/a n/a 60
NIST_SP_800-171_R2_3 .12.1 NIST_SP_800-171_R2_3.12.1 NIST SP 800-171 R2 3.12.1 Security Assessment Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Shared Microsoft and the customer share responsibilities for implementing this requirement. Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle. [SP 800-53] provides guidance on security and privacy controls for systems and organizations. [SP 800-53A] provides guidance on developing security assessment plans and conducting assessments. link 4
NIST_SP_800-53_R4 CA-2 NIST_SP_800-53_R4_CA-2 NIST SP 800-53 Rev. 4 CA-2 Security Assessment And Authorization Security Assessments Shared n/a The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. Supplemental Guidance: Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4. References: Executive Order 13587; FIPS Publication 199; NIST Special Publications 800-37, 800-39, 800-53A, 800-115, 800-137. link 4
NIST_SP_800-53_R5 CA-2 NIST_SP_800-53_R5_CA-2 NIST SP 800-53 Rev. 5 CA-2 Assessment, Authorization, and Monitoring Control Assessments Shared n/a a. Select the appropriate assessor or assessment team for the type of assessment to be conducted; b. Develop a control assessment plan that describes the scope of the assessment including: 1. Controls and control enhancements under assessment; 2. Assessment procedures to be used to determine control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; e. Produce a control assessment report that document the results of the assessment; and f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. link 4
org.2 Security regulations org.2 Security regulations 404 not found n/a n/a 100
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
PCI_DSS_v4.0 12.4.2 PCI_DSS_v4.0_12.4.2 PCI DSS v4.0 12.4.2 Requirement 12: Support Information Security with Organizational Policies and Programs PCI DSS compliance is managed Shared n/a Reviews are performed at least once every three months, by personnel other than those responsible for performing the given task to confirm personnel are performing their tasks, in accordance with all security policies and all operational procedures, including but not limited to the following tasks: • Daily log reviews. • Configuration reviews for network security controls. • Applying configuration standards to new systems. • Responding to security alerts. • Change-management processes. link 6
SOC_2 CC4.1 SOC_2_CC4.1 SOC 2 Type 2 CC4.1 Monitoring Activities COSO Principle 16 Shared The customer is responsible for implementing this recommendation. • Considers a Mix of Ongoing and Separate Evaluations — Management includes a balance of ongoing and separate evaluations. • Considers Rate of Change — Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations. • Establishes Baseline Understanding — The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations. • Uses Knowledgeable Personnel — Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated. • Integrates With Business Processes — Ongoing evaluations are built into the business processes and adjust to changing conditions. • Adjusts Scope and Frequency — Management varies the scope and frequency of separate evaluations depending on risk. Page 26 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS • Objectively Evaluates — Separate evaluations are performed periodically to provide objective feedback. Additional point of focus specifically related to all engagements using the trust services criteria: • Considers Different Types of Ongoing and Separate Evaluations — Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add c423e64d-995c-9f67-0403-b540f65ba42a
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC