last sync: 2024-Oct-11 17:51:27 UTC

Perform a business impact assessment and application criticality assessment | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Perform a business impact assessment and application criticality assessment
Id cb8841d4-9d13-7292-1d06-ba4d68384681
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0386 - Perform a business impact assessment and application criticality assessment
Additional metadata Name/Id: CMA_0386 / CMA_0386
Category: Operational
Title: Perform a business impact assessment and application criticality assessment
Ownership: Customer
Description: Microsoft recommends that your organization establish, implement, and maintain a formal and documented Business Impact Assessment (BIA) that evaluates and determines continuity and recovery priorities, objectives and targets. Your organization is recommended to identify the business functions within the organization and the services and processes that support them. It is recommended that your organization complete a business impact analysis to determine the recovery sequence of critical business functions along with documented processes and service dependencies. Based on the BIA results, the organization is recommended to determine the Minimum Business Continuity Objective (MBCO), Maximum Tolerable Period of Disruption (MTPD), Recovery Time Objective (RTO), and Recovery Point Objective (RPO) for each critical business function which should be validated and approved by top management. Microsoft also recommends that your organization complete an application criticality assessment to understand the first-tier application dependencies, interdependent business processes, and business impacts such as loss of revenue, missed contractual obligations, alternative work procedure availability, the impacts that a disruption of these activities would have on the organization and other necessary Business Continuity Management System (BCMS) resources when needed. It is recommended to develop BIA-based recovery strategies to anticipate the loss of system components including but not limited to computer room environment (secure computer room with climate control, conditioned and backup power supply, etc.), hardware (networks, servers, desktop and laptop computers, wireless devices and peripherals), connectivity to a service provider (fiber, cable, wireless, etc.), software applications (electronic data interchange, electronic mail, enterprise resource management, office productivity, etc.), data, and restoration.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 7 compliance controls are associated with this Policy definition 'Perform a business impact assessment and application criticality assessment' (cb8841d4-9d13-7292-1d06-ba4d68384681)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CP-2(8) FedRAMP_High_R4_CP-2(8) FedRAMP High CP-2 (8) Contingency Planning Identify Critical Assets Shared n/a The organization identifies critical information system assets supporting essential missions and business functions. Supplemental Guidance: Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets. Related controls: SA-14, SA-15. link 1
FedRAMP_Moderate_R4 CP-2(8) FedRAMP_Moderate_R4_CP-2(8) FedRAMP Moderate CP-2 (8) Contingency Planning Identify Critical Assets Shared n/a The organization identifies critical information system assets supporting essential missions and business functions. Supplemental Guidance: Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets. Related controls: SA-14, SA-15. link 1
hipaa 1635.12b1Organizational.2-12.b hipaa-1635.12b1Organizational.2-12.b 1635.12b1Organizational.2-12.b 16 Business Continuity & Disaster Recovery 1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a Information security aspects of business continuity are: (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and, (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. 6
hipaa 1636.12b2Organizational.1-12.b hipaa-1636.12b2Organizational.1-12.b 1636.12b2Organizational.1-12.b 16 Business Continuity & Disaster Recovery 1636.12b2Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management Shared n/a The organization identifies its critical business processes and integrates the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport and facilities. 3
hipaa 1669.12d1Organizational.8-12.d hipaa-1669.12d1Organizational.8-12.d 1669.12d1Organizational.8-12.d 16 Business Continuity & Disaster Recovery 1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management Shared n/a The business continuity planning framework addresses a specific, minimal set of information security requirements. 6
NIST_SP_800-53_R4 CP-2(8) NIST_SP_800-53_R4_CP-2(8) NIST SP 800-53 Rev. 4 CP-2 (8) Contingency Planning Identify Critical Assets Shared n/a The organization identifies critical information system assets supporting essential missions and business functions. Supplemental Guidance: Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets. Related controls: SA-14, SA-15. link 1
NIST_SP_800-53_R5 CP-2(8) NIST_SP_800-53_R5_CP-2(8) NIST SP 800-53 Rev. 5 CP-2 (8) Contingency Planning Identify Critical Assets Shared n/a Identify critical system assets supporting [Selection: all;essential] mission and business functions. link 1
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add cb8841d4-9d13-7292-1d06-ba4d68384681
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC