last sync: 2024-Apr-24 17:46:58 UTC

Rescreen individuals at a defined frequency | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Rescreen individuals at a defined frequency
Id c6aeb800-0b19-944d-92dc-59b893722329
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1512 - Rescreen individuals at a defined frequency
Additional metadata Name/Id: CMA_C1512 / CMA_C1512
Category: Operational
Title: Rescreen individuals at a defined frequency
Ownership: Customer
Description: The customer is responsible for rescreening individuals at a customer-defined frequency or under customer-defined conditions.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 9 compliance controls are associated with this Policy definition 'Rescreen individuals at a defined frequency' (c6aeb800-0b19-944d-92dc-59b893722329)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PS-3 FedRAMP_High_R4_PS-3 FedRAMP High PS-3 Personnel Security Personnel Screening Shared n/a The organization: a. Screens individuals prior to authorizing access to the information system; and b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]. Supplemental Guidance: Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. References: 5 C.F.R. 731.106; FIPS Publications 199, 201; NIST Special Publications 800-60, 800-73, 800-76, 800-78; ICD 704. link 3
FedRAMP_Moderate_R4 PS-3 FedRAMP_Moderate_R4_PS-3 FedRAMP Moderate PS-3 Personnel Security Personnel Screening Shared n/a The organization: a. Screens individuals prior to authorizing access to the information system; and b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]. Supplemental Guidance: Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. References: 5 C.F.R. 731.106; FIPS Publications 199, 201; NIST Special Publications 800-60, 800-73, 800-76, 800-78; ICD 704. link 3
hipaa 0105.02a2Organizational.1-02.a hipaa-0105.02a2Organizational.1-02.a 0105.02a2Organizational.1-02.a 01 Information Protection Program 0105.02a2Organizational.1-02.a 02.01 Prior to Employment Shared n/a Risk designations are assigned for all positions within the organization as appropriate, with commensurate screening criteria, and reviewed/revised every 365 days. 6
hipaa 0106.02a2Organizational.23-02.a hipaa-0106.02a2Organizational.23-02.a 0106.02a2Organizational.23-02.a 01 Information Protection Program 0106.02a2Organizational.23-02.a 02.01 Prior to Employment Shared n/a The pre-employment process is reviewed by recruitment to ensure security roles/responsibilities are specifically defined (in writing) and clearly communicated to job candidates. 4
ISO27001-2013 A.7.1.1 ISO27001-2013_A.7.1.1 ISO 27001:2013 A.7.1.1 Human Resources Security Screening Shared n/a Background verification checks for all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. link 3
NIST_SP_800-53_R4 PS-3 NIST_SP_800-53_R4_PS-3 NIST SP 800-53 Rev. 4 PS-3 Personnel Security Personnel Screening Shared n/a The organization: a. Screens individuals prior to authorizing access to the information system; and b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]. Supplemental Guidance: Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. References: 5 C.F.R. 731.106; FIPS Publications 199, 201; NIST Special Publications 800-60, 800-73, 800-76, 800-78; ICD 704. link 3
NIST_SP_800-53_R5 PS-3 NIST_SP_800-53_R5_PS-3 NIST SP 800-53 Rev. 5 PS-3 Personnel Security Personnel Screening Shared n/a a. Screen individuals prior to authorizing access to the system; and b. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening]. link 3
PCI_DSS_v4.0 12.7.1 PCI_DSS_v4.0_12.7.1 PCI DSS v4.0 12.7.1 Requirement 12: Support Information Security with Organizational Policies and Programs Personnel are screened to reduce risks from insider threats Shared n/a Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources. link 3
SWIFT_CSCF_v2022 5.3A SWIFT_CSCF_v2022_5.3A SWIFT CSCF v2022 5.3A 5. Manage Identities and Segregate Privileges To the extent permitted and practicable, ensure the trustworthiness of staff operating the local SWIFT environment by performing regular staff screening. Shared n/a Staff operating the local SWIFT infrastructure are screened prior to initial appointment in that role and periodically thereafter. link 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add c6aeb800-0b19-944d-92dc-59b893722329
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC