last sync: 2024-Apr-24 17:46:58 UTC

Document organizational access agreements | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Document organizational access agreements
Id c981fa70-2e58-8141-1457-e7f62ebc2ade
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0192 - Document organizational access agreements
Additional metadata Name/Id: CMA_0192 / CMA_0192
Category: Documentation
Title: Document organizational access agreements
Ownership: Customer
Description: Microsoft recommends that your organization establish and document access agreements for organizational information systems, including Azure. Your organization should consider creating and maintaining Personnel Security policies and standard operating procedures that include a process for documenting access agreements for all organizational information systems.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 8 compliance controls are associated with this Policy definition 'Document organizational access agreements' (c981fa70-2e58-8141-1457-e7f62ebc2ade)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PS-6 FedRAMP_High_R4_PS-6 FedRAMP High PS-6 Personnel Security Access Agreements Shared n/a The organization: a. Develops and documents access agreements for organizational information systems; b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and c. Ensures that individuals requiring access to organizational information and information systems: 1. Sign appropriate access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. Supplemental Guidance: Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. References: None. link 5
FedRAMP_Moderate_R4 PS-6 FedRAMP_Moderate_R4_PS-6 FedRAMP Moderate PS-6 Personnel Security Access Agreements Shared n/a The organization: a. Develops and documents access agreements for organizational information systems; b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and c. Ensures that individuals requiring access to organizational information and information systems: 1. Sign appropriate access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. Supplemental Guidance: Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. References: None. link 5
hipaa 1008.01d2System.3-01.d hipaa-1008.01d2System.3-01.d 1008.01d2System.3-01.d 10 Password Management 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems Shared n/a Users sign a statement acknowledging their responsibility to keep passwords confidential. 15
ISO27001-2013 A.13.2.4 ISO27001-2013_A.13.2.4 ISO 27001:2013 A.13.2.4 Communications Security Confidentiality or non-disclosure agreements Shared n/a Requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified, regularly reviewed and documented. link 14
ISO27001-2013 A.7.1.2 ISO27001-2013_A.7.1.2 ISO 27001:2013 A.7.1.2 Human Resources Security Terms and conditions of employment Shared n/a The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. link 24
ISO27001-2013 A.7.2.1 ISO27001-2013_A.7.2.1 ISO 27001:2013 A.7.2.1 Human Resources Security Management responsibilities Shared n/a Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. link 26
NIST_SP_800-53_R4 PS-6 NIST_SP_800-53_R4_PS-6 NIST SP 800-53 Rev. 4 PS-6 Personnel Security Access Agreements Shared n/a The organization: a. Develops and documents access agreements for organizational information systems; b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and c. Ensures that individuals requiring access to organizational information and information systems: 1. Sign appropriate access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. Supplemental Guidance: Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. References: None. link 5
NIST_SP_800-53_R5 PS-6 NIST_SP_800-53_R5_PS-6 NIST SP 800-53 Rev. 5 PS-6 Personnel Security Access Agreements Shared n/a a. Develop and document access agreements for organizational systems; b. Review and update the access agreements [Assignment: organization-defined frequency]; and c. Verify that individuals requiring access to organizational information and systems: 1. Sign appropriate access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [Assignment: organization-defined frequency]. link 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add c981fa70-2e58-8141-1457-e7f62ebc2ade
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC