last sync: 2024-Apr-24 17:46:58 UTC

Notify upon termination or transfer | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Notify upon termination or transfer
Id c79d378a-2521-822a-0407-57454f8d2c74
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0381 - Notify upon termination or transfer
Additional metadata Name/Id: CMA_0381 / CMA_0381
Category: Operational
Title: Notify upon termination or transfer
Ownership: Customer
Description: Microsoft recommends that your organization notify the appropriate personnel or roles of the transfer, reassignment or termination of an employee within an organizationally-defined time period, preferably using automated notification mechanisms.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 20 compliance controls are associated with this Policy definition 'Notify upon termination or transfer' (c79d378a-2521-822a-0407-57454f8d2c74)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PS-4 FedRAMP_High_R4_PS-4 FedRAMP High PS-4 Personnel Security Personnel Termination Shared n/a The organization, upon termination of individual employment: a. Disables information system access within [Assignment: organization-defined time period]; b. Terminates/revokes any authenticators/credentials associated with the individual; c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics]; d. Retrieves all security-related organizational information system-related property; e. Retains access to organizational information and information systems formerly controlled by terminated individual; and f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. Supplemental Guidance: Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. References: None. link 5
FedRAMP_High_R4 PS-5 FedRAMP_High_R4_PS-5 FedRAMP High PS-5 Personnel Security Personnel Transfer Shared n/a The organization: a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization; b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. Supplemental Guidance: This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. Control Enhancements: None. References: None. link 4
FedRAMP_Moderate_R4 PS-4 FedRAMP_Moderate_R4_PS-4 FedRAMP Moderate PS-4 Personnel Security Personnel Termination Shared n/a The organization, upon termination of individual employment: a. Disables information system access within [Assignment: organization-defined time period]; b. Terminates/revokes any authenticators/credentials associated with the individual; c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics]; d. Retrieves all security-related organizational information system-related property; e. Retains access to organizational information and information systems formerly controlled by terminated individual; and f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. Supplemental Guidance: Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. References: None. link 5
FedRAMP_Moderate_R4 PS-5 FedRAMP_Moderate_R4_PS-5 FedRAMP Moderate PS-5 Personnel Security Personnel Transfer Shared n/a The organization: a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization; b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. Supplemental Guidance: This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. Control Enhancements: None. References: None. link 4
hipaa 0701.07a1Organizational.12-07.a hipaa-0701.07a1Organizational.12-07.a 0701.07a1Organizational.12-07.a 07 Vulnerability Management 0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets Shared n/a An inventory of assets and services is maintained. 7
hipaa 1109.01b1System.479-01.b hipaa-1109.01b1System.479-01.b 1109.01b1System.479-01.b 11 Access Control 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems Shared n/a User registration and deregistration, at a minimum: (i) communicates relevant policies to users and require acknowledgement (e.g., signed or captured electronically); (ii) checks authorization and minimum level of access necessary prior to granting access; (iii) ensures access is appropriate to the business needs (consistent with sensitivity/risk and does not violate segregation of duties requirements); (iv) addresses termination and transfer; (v) ensures default accounts are removed and/or renamed; (vi) removes or blocks critical access rights of users who have changed roles or jobs; and, (vii) automatically removes or disables inactive accounts. 24
hipaa 11154.02i1Organizational.5-02.i hipaa-11154.02i1Organizational.5-02.i 11154.02i1Organizational.5-02.i 11 Access Control 11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment Shared n/a Access rights to information assets and facilities is reduced or removed before the employment or other workforce arrangement terminates or changes, depending on the evaluation of risk factors. 8
hipaa 11155.02i2Organizational.2-02.i hipaa-11155.02i2Organizational.2-02.i 11155.02i2Organizational.2-02.i 11 Access Control 11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment Shared n/a The organization employs automated mechanisms to notify specific personnel or roles (formally defined by the organization) upon termination of an individual. 10
hipaa 11220.01b1System.10-01.b hipaa-11220.01b1System.10-01.b 11220.01b1System.10-01.b 11 Access Control 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems Shared n/a User registration and de-registration formally address establishing, activating, modifying, reviewing, disabling and removing accounts. 26
hipaa 1135.02i1Organizational.1234-02.i hipaa-1135.02i1Organizational.1234-02.i 1135.02i1Organizational.1234-02.i 11 Access Control 1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment Shared n/a Upon termination or changes in employment for employees, contractors, third-party users, or other workforce arrangement, physical and logical access rights and associated materials (e.g., passwords, keycards, keys, documentation that identify them as current members of the organization) are removed or modified to restrict access within 24 hours and old accounts are closed after 90 days of opening new accounts. 9
hipaa 1136.02i2Organizational.1-02.i hipaa-1136.02i2Organizational.1-02.i 1136.02i2Organizational.1-02.i 11 Access Control 1136.02i2Organizational.1-02.i 02.04 Termination or Change of Employment Shared n/a For instances of increased risk, physical, and logical access rights are immediately removed or modified following employee, contractor or third-party user termination, and allow for immediate escorting from the site, if necessary. 6
hipaa 1166.01e1System.12-01.e hipaa-1166.01e1System.12-01.e 1166.01e1System.12-01.e 11 Access Control 1166.01e1System.12-01.e 01.02 Authorized Access to Information Systems Shared n/a User access rights are reviewed after any changes and reallocated as necessary. 8
ISO27001-2013 A.7.3.1 ISO27001-2013_A.7.3.1 ISO 27001:2013 A.7.3.1 Human Resources Security Termination or change of employment responsibilities Shared n/a Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. link 8
ISO27001-2013 A.8.1.4 ISO27001-2013_A.8.1.4 ISO 27001:2013 A.8.1.4 Asset Management Return of assets Shared n/a All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement. link 8
ISO27001-2013 A.9.2.6 ISO27001-2013_A.9.2.6 ISO 27001:2013 A.9.2.6 Access Control Removal or adjustment of access rights Shared n/a The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. link 17
NIST_SP_800-171_R2_3 .9.2 NIST_SP_800-171_R2_3.9.2 NIST SP 800-171 R2 3.9.2 Personnel Security Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers Shared Microsoft and the customer share responsibilities for implementing this requirement. Protecting CUI during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, identification cards, system administration technical manuals, keys, and building passes. Exit interviews ensure that individuals who have been terminated understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics of interest at exit interviews can include reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and non-availability of supervisors. For termination actions, timely execution is essential for individuals terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals that are being terminated prior to the individuals being notified. This requirement applies to reassignments or transfers of individuals when the personnel action is permanent or of such extended durations as to require protection. Organizations define the CUI protections appropriate for the types of reassignments or transfers, whether permanent or extended. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing for access to official records to which individuals had access at previous work locations and in previous system accounts. link 7
NIST_SP_800-53_R4 PS-4 NIST_SP_800-53_R4_PS-4 NIST SP 800-53 Rev. 4 PS-4 Personnel Security Personnel Termination Shared n/a The organization, upon termination of individual employment: a. Disables information system access within [Assignment: organization-defined time period]; b. Terminates/revokes any authenticators/credentials associated with the individual; c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics]; d. Retrieves all security-related organizational information system-related property; e. Retains access to organizational information and information systems formerly controlled by terminated individual; and f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. Supplemental Guidance: Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. References: None. link 5
NIST_SP_800-53_R4 PS-5 NIST_SP_800-53_R4_PS-5 NIST SP 800-53 Rev. 4 PS-5 Personnel Security Personnel Transfer Shared n/a The organization: a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization; b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. Supplemental Guidance: This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. Control Enhancements: None. References: None. link 4
NIST_SP_800-53_R5 PS-4 NIST_SP_800-53_R5_PS-4 NIST SP 800-53 Rev. 5 PS-4 Personnel Security Personnel Termination Shared n/a Upon termination of individual employment: a. Disable system access within [Assignment: organization-defined time period]; b. Terminate or revoke any authenticators and credentials associated with the individual; c. Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics]; d. Retrieve all security-related organizational system-related property; and e. Retain access to organizational information and systems formerly controlled by terminated individual. link 5
NIST_SP_800-53_R5 PS-5 NIST_SP_800-53_R5_PS-5 NIST SP 800-53 Rev. 5 PS-5 Personnel Security Personnel Transfer Shared n/a a. Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; b. Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; c. Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and d. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. link 4
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add c79d378a-2521-822a-0407-57454f8d2c74
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC