last sync: 2024-Apr-19 17:43:58 UTC

Develop organization code of conduct policy | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Develop organization code of conduct policy
Id d02498e0-8a6f-6b02-8332-19adf6711d1e
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0159 - Develop organization code of conduct policy
Additional metadata Name/Id: CMA_0159 / CMA_0159
Category: Documentation
Title: Develop organization code of conduct policy
Ownership: Customer
Description: Microsoft recommends that your organization develop, document, and distribute a code of conduct which clarifies your organization's mission, values, and principles, linking them with standards of professional conduct. A code of conduct policy articulates the values the organization wishes to foster in leaders and employees and defines desired behavior. It is recommended that the code of conduct policy includes rules that prohibit illegal activities such as supply, exchange, transmission , storage, or use of digital media for propagation of violence, war of aggression, sowing hatred among citizens, share secrets related to military / national security / economic / external relation, damage reputation of any organization, or promote goods and service banned by law, illegal activities in information application and development, obstruction of the operation of systems of national domain/name servers, and destruction of information in the network. Your organization may consider seeking legal approval or guidance when developing the code of conduct to ensure compliance with applicable regulations. The Computer Fraud and Abuse Act (CFAA) outlaws: - Knowingly accessing a computer without authorization or exceeding authorized access and obtaining information that has been determined by the United States Government to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, with the intent or reason to believe that such information so obtained is to be used to the injury of the United States - Intentionally accessing a computer without authorization or exceeding authorized access and obtaining information contained in a financial record of a financial institution, or of a card issuer, or contained in a file of a consumer reporting agency on a consumer - Intentionally, without authorization accessing any computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects the use of the Government's operation of such computer - Intentionally accessing a Federal interest computer without authorization, and by means of one or more instances of such conduct altering, damaging, or destroying information in any such Federal interest computer, or prevents authorized use of any such computer or information and - Knowingly and with intent to defraud traffics in any password or similar information through which a computer may be accessed without authorization, if such trafficking affects interstate or foreign commerce, or such computer is used by or for the Government of the United States The Dubai Consumer Protection Regulations (Telecommunications Regulatory Authority) prohibit materials that induce, encourage, or validate any behavior that is inconsistent with the social, cultural, moral, or religious values which apply generally within the UAE. Material, which is generally not acceptable includes, but is not limited to, offensive language, violence, sex, nudity, sexual violence, humiliation, violation of human dignity, discriminatory treatment or language, derogatory treatment of religious subjects and values, with regard to the sensitivities of Islam, and the use of drugs, alcohol and tobacco; and comply with all applicable laws of the UAE.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 23 compliance controls are associated with this Policy definition 'Develop organization code of conduct policy' (d02498e0-8a6f-6b02-8332-19adf6711d1e)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PL-4 FedRAMP_High_R4_PL-4 FedRAMP High PL-4 Planning Rules Of Behavior Shared n/a The organization: a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. Supplemental Guidance: This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. References: NIST Special Publication 800-18. link 9
FedRAMP_Moderate_R4 PL-4 FedRAMP_Moderate_R4_PL-4 FedRAMP Moderate PL-4 Planning Rules Of Behavior Shared n/a The organization: a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. Supplemental Guidance: This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. References: NIST Special Publication 800-18. link 9
hipaa 0104.02a1Organizational.12-02.a hipaa-0104.02a1Organizational.12-02.a 0104.02a1Organizational.12-02.a 01 Information Protection Program 0104.02a1Organizational.12-02.a 02.01 Prior to Employment Shared n/a User security roles and responsibilities are clearly defined and communicated. 14
hipaa 0109.02d1Organizational.4-02.d hipaa-0109.02d1Organizational.4-02.d 0109.02d1Organizational.4-02.d 01 Information Protection Program 0109.02d1Organizational.4-02.d 02.03 During Employment Shared n/a Management ensures users are (i) briefed on their security role(s)/responsibilities, conform with the terms and conditions of employment prior to obtaining access to the organization’s information systems; (ii) provided with guidelines regarding the security expectations of their roles; (iii) motivated to comply with security policies; and, (iv) continue to have the appropriate skills and qualifications for their role(s). 20
hipaa 0901.09s1Organizational.1-09.s hipaa-0901.09s1Organizational.1-09.s 0901.09s1Organizational.1-09.s 09 Transmission Protection 0901.09s1Organizational.1-09.s 09.08 Exchange of Information Shared n/a The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. 31
hipaa 1008.01d2System.3-01.d hipaa-1008.01d2System.3-01.d 1008.01d2System.3-01.d 10 Password Management 1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems Shared n/a Users sign a statement acknowledging their responsibility to keep passwords confidential. 15
hipaa 1109.01b1System.479-01.b hipaa-1109.01b1System.479-01.b 1109.01b1System.479-01.b 11 Access Control 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems Shared n/a User registration and deregistration, at a minimum: (i) communicates relevant policies to users and require acknowledgement (e.g., signed or captured electronically); (ii) checks authorization and minimum level of access necessary prior to granting access; (iii) ensures access is appropriate to the business needs (consistent with sensitivity/risk and does not violate segregation of duties requirements); (iv) addresses termination and transfer; (v) ensures default accounts are removed and/or renamed; (vi) removes or blocks critical access rights of users who have changed roles or jobs; and, (vii) automatically removes or disables inactive accounts. 24
hipaa 1110.01b1System.5-01.b hipaa-1110.01b1System.5-01.b 1110.01b1System.5-01.b 11 Access Control 1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems Shared n/a Users are given a written statement of their access rights, which they are required to sign stating they understand the conditions of access. Guest/anonymous, shared/group, emergency and temporary accounts are specifically authorized and use monitored. 11
hipaa 1137.06e1Organizational.1-06.e hipaa-1137.06e1Organizational.1-06.e 1137.06e1Organizational.1-06.e 11 Access Control 1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements Shared n/a Acceptable use agreements are signed by all employees before being allowed access to information assets. 8
hipaa 1201.06e1Organizational.2-06.e hipaa-1201.06e1Organizational.2-06.e 1201.06e1Organizational.2-06.e 12 Audit Logging & Monitoring 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements Shared n/a The organization provides notice that the employee's actions may be monitored, and that the employee consents to such monitoring. 12
hipaa 1301.02e1Organizational.12-02.e hipaa-1301.02e1Organizational.12-02.e 1301.02e1Organizational.12-02.e 13 Education, Training and Awareness 1301.02e1Organizational.12-02.e 02.03 During Employment Shared n/a Employees and contractors receive documented initial (as part of their onboarding within 60 days of hire), annual, and ongoing training on their roles related to security and privacy. 17
hipaa 1302.02e2Organizational.134-02.e hipaa-1302.02e2Organizational.134-02.e 1302.02e2Organizational.134-02.e 13 Education, Training and Awareness 1302.02e2Organizational.134-02.e 02.03 During Employment Shared n/a Dedicated security and privacy awareness training is developed as part of the organization's onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat. 19
hipaa 1303.02e2Organizational.2-02.e hipaa-1303.02e2Organizational.2-02.e 1303.02e2Organizational.2-02.e 13 Education, Training and Awareness 1303.02e2Organizational.2-02.e 02.03 During Employment Shared n/a Employees sign acceptance/acknowledgement of their security and privacy responsibilities. 8
hipaa 1306.06e1Organizational.5-06.e hipaa-1306.06e1Organizational.5-06.e 1306.06e1Organizational.5-06.e 13 Education, Training and Awareness 1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements Shared n/a Employees and contractors are informed in writing that violations of the security policies will result in sanctions or disciplinary action. 11
hipaa 1307.07c1Organizational.124-07.c hipaa-1307.07c1Organizational.124-07.c 1307.07c1Organizational.124-07.c 13 Education, Training and Awareness 1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets Shared n/a The organization defines rules to describe user responsibilities and acceptable behavior for information system usage, including at a minimum, rules for email, Internet, mobile devices, social media and facility usage. 9
hipaa 1308.09j1Organizational.5-09.j hipaa-1308.09j1Organizational.5-09.j 1308.09j1Organizational.5-09.j 13 Education, Training and Awareness 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code Shared n/a The organization prohibits users from installing unauthorized software, including data and software from external networks, and ensures users are made aware and trained on these requirements. 12
hipaa 1324.07c1Organizational.3-07.c hipaa-1324.07c1Organizational.3-07.c 1324.07c1Organizational.3-07.c 13 Education, Training and Awareness 1324.07c1Organizational.3-07.c 07.01 Responsibility for Assets Shared n/a Employees, contractors and third-party system users are aware of the limits existing for their use of the organization's information and assets associated with information processing facilities and resources; and they are responsible for their use of any information resource and of any use carried out under their responsibility. 8
hipaa 1325.09s1Organizational.3-09.s hipaa-1325.09s1Organizational.3-09.s 1325.09s1Organizational.3-09.s 13 Education, Training and Awareness 1325.09s1Organizational.3-09.s 09.08 Exchange of Information Shared n/a Personnel are appropriately trained on leading principles and practices for all types of information exchange (oral, paper and electronic). 11
ISO27001-2013 A.13.2.4 ISO27001-2013_A.13.2.4 ISO 27001:2013 A.13.2.4 Communications Security Confidentiality or non-disclosure agreements Shared n/a Requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified, regularly reviewed and documented. link 14
ISO27001-2013 A.15.1.2 ISO27001-2013_A.15.1.2 ISO 27001:2013 A.15.1.2 Supplier Relationships Addressing security within supplier agreement Shared n/a All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. link 24
NIST_SP_800-53_R4 PL-4 NIST_SP_800-53_R4_PL-4 NIST SP 800-53 Rev. 4 PL-4 Planning Rules Of Behavior Shared n/a The organization: a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. Supplemental Guidance: This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. References: NIST Special Publication 800-18. link 9
NIST_SP_800-53_R5 PL-4 NIST_SP_800-53_R5_PL-4 NIST SP 800-53 Rev. 5 PL-4 Planning Rules of Behavior Shared n/a a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; c. Review and update the rules of behavior [Assignment: organization-defined frequency]; and d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection (OneOrMore): [Assignment: organization-defined frequency] ;when the rules are revised or updated] . link 9
SOC_2 CC1.1 SOC_2_CC1.1 SOC 2 Type 2 CC1.1 Control Environment COSO Principle 1 Shared The customer is responsible for implementing this recommendation. Sets the Tone at the Top — The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control. • Establishes Standards of Conduct — The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners. • Evaluates Adherence to Standards of Conduct — Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct. • Addresses Deviations in a Timely Manner — Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add d02498e0-8a6f-6b02-8332-19adf6711d1e
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC