last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Appoint a senior information security officer

Name Appoint a senior information security officer
Azure Portal
Id c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_C1733 - Appoint a senior information security officer
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 21 compliance controls are associated with this Policy definition 'Appoint a senior information security officer' (c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 0110.02d2Organizational.1-02.d hipaa-0110.02d2Organizational.1-02.d 0110.02d2Organizational.1-02.d 01 Information Protection Program 0110.02d2Organizational.1-02.d 02.03 During Employment Shared n/a An individual or dedicated team is assigned to manage the information security of the organization's users. 2
hipaa 01110.05a1Organizational.5-05.a hipaa-01110.05a1Organizational.5-05.a 01110.05a1Organizational.5-05.a 01 Information Protection Program 01110.05a1Organizational.5-05.a 05.01 Internal Organization Shared n/a If the senior-level information security official is employed by the organization, one of its affiliates, or a third-party service, the organization retains responsibility for its cybersecurity program, designates a senior member of the organization responsible for direction and oversight, and requires the third-party service to maintain an appropriate cybersecurity program of its own. 4
hipaa 01111.05a2Organizational.5-05.a hipaa-01111.05a2Organizational.5-05.a 01111.05a2Organizational.5-05.a 01 Information Protection Program 01111.05a2Organizational.5-05.a 05.01 Internal Organization Shared n/a The CISO of the organization reports in writing on the organization's cybersecurity program and material cybersecurity risks, at least annually, to the organization's board of directors, equivalent governing body, or suitable committee. 1
hipaa 0117.05a1Organizational.1-05.a hipaa-0117.05a1Organizational.1-05.a 0117.05a1Organizational.1-05.a 01 Information Protection Program 0117.05a1Organizational.1-05.a 05.01 Internal Organization Shared n/a A senior-level information security official is appointed and is responsible for ensuring security processes are in place, communicated to all stakeholders, and consider and address organizational requirements. 1
hipaa 0118.05a1Organizational.2-05.a hipaa-0118.05a1Organizational.2-05.a 0118.05a1Organizational.2-05.a 01 Information Protection Program 0118.05a1Organizational.2-05.a 05.01 Internal Organization Shared n/a Senior management assigns an individual or group to ensure the effectiveness of the information protection program through program oversight; establish and communicate the organization's priorities for organizational mission, objectives, and activities; review and update of the organization's security plan; ensure compliance with the security plan by the workforce; and evaluate and accept security risks on behalf of the organization. 8
hipaa 0124.05a3Organizational.1-05.a hipaa-0124.05a3Organizational.1-05.a 0124.05a3Organizational.1-05.a 01 Information Protection Program 0124.05a3Organizational.1-05.a 05.01 Internal Organization Shared n/a An information security management committee is chartered and active. 2
hipaa 1901.06d1Organizational.1-06.d hipaa-1901.06d1Organizational.1-06.d 1901.06d1Organizational.1-06.d 19 Data Protection & Privacy 1901.06d1Organizational.1-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization has formally appointed a qualified data protection officer, reporting to senior management, and who is directly and fully responsible for the privacy of covered information. 3
hipaa 19134.05j1Organizational.5-05.j hipaa-19134.05j1Organizational.5-05.j 19134.05j1Organizational.5-05.j 19 Data Protection & Privacy 19134.05j1Organizational.5-05.j 05.02 External Parties Shared n/a The public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official. 12
hipaa 19143.06c1Organizational.9-06.c hipaa-19143.06c1Organizational.9-06.c 19143.06c1Organizational.9-06.c 19 Data Protection & Privacy 19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements Shared n/a Designated senior management within the organization reviews and approves the security categorizations and associated guidelines. 6
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
ISO27001-2013 C.5.1.a ISO27001-2013_C.5.1.a ISO 27001:2013 C.5.1.a Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: a) ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization; link 6
ISO27001-2013 C.5.1.b ISO27001-2013_C.5.1.b ISO 27001:2013 C.5.1.b Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: b) ensuring the integration of the information security management system requirements into the organization’s processes. link 28
ISO27001-2013 C.5.1.c ISO27001-2013_C.5.1.c ISO 27001:2013 C.5.1.c Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: c) ensuring that the resources needed for the information security management system are available. link 10
ISO27001-2013 C.5.1.d ISO27001-2013_C.5.1.d ISO 27001:2013 C.5.1.d Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: d) communicating the importance of effective information security management and of conforming to the information security management system requirements. link 1
ISO27001-2013 C.5.1.e ISO27001-2013_C.5.1.e ISO 27001:2013 C.5.1.e Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: e) ensuring that the information security management system achieves its intended outcome(s). link 3
ISO27001-2013 C.5.1.f ISO27001-2013_C.5.1.f ISO 27001:2013 C.5.1.f Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: f) directing and supporting persons to contribute to the effectiveness of the information security management system. link 9
ISO27001-2013 C.5.1.g ISO27001-2013_C.5.1.g ISO 27001:2013 C.5.1.g Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: g) promoting continual improvement. link 3
ISO27001-2013 C.5.1.h ISO27001-2013_C.5.1.h ISO 27001:2013 C.5.1.h Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. link 1
PCI_DSS_v4.0 12.1.4 PCI_DSS_v4.0_12.1.4 PCI DSS v4.0 12.1.4 Requirement 12: Support Information Security with Organizational Policies and Programs A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current Shared n/a Responsibility for information security is formally assigned to a Chief Information Security Officer or other information security knowledgeable member of executive management. link 1
SOC_2 CC1.2 SOC_2_CC1.2 SOC 2 Type 2 CC1.2 Control Environment COSO Principle 2 Shared The customer is responsible for implementing this recommendation. • Establishes Oversight Responsibilities — The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations. • Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action. • Operates Independently — The board of directors has sufficient members who are independent from management and objective in evaluations and decision making. 5
SOC_2 CC1.3 SOC_2_CC1.3 SOC 2 Type 2 CC1.3 Control Environment COSO Principle 3 Shared The customer is responsible for implementing this recommendation. Considers All Structures of the Entity — Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives. • Establishes Reporting Lines — Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity. • Defines, Assigns, and Limits Authorities and Responsibilities — Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization • Addresses Specific Requirements When Defining Authorities and Responsibilities — Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities. • Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities — Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities 5
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
JSON
changes

JSON