last sync: 2024-Oct-04 17:51:30 UTC

Provide role-based practical exercises | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Provide role-based practical exercises
Id d041726f-00e0-41ca-368c-b1a122066482
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1096 - Provide role-based practical exercises
Additional metadata Name/Id: CMA_C1096 / CMA_C1096
Category: Operational
Title: Provide role-based practical exercises
Ownership: Customer
Description: The customer is responsible for providing role-based practical exercises to reinforce training objectives established in AT-03.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 9 compliance controls are associated with this Policy definition 'Provide role-based practical exercises' (d041726f-00e0-41ca-368c-b1a122066482)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AT-3(3) FedRAMP_High_R4_AT-3(3) FedRAMP High AT-3 (3) Awareness And Training Practical Exercises Shared n/a The organization includes practical exercises in security training that reinforce training objectives. Supplemental Guidance: Practical exercises may include, for example, security training for software developers that includes simulated cyber attacks exploiting common software vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted at senior leaders/executives. These types of practical exercises help developers better understand the effects of such vulnerabilities and appreciate the need for security coding standards and processes. link 1
hipaa 0109.02d1Organizational.4-02.d hipaa-0109.02d1Organizational.4-02.d 0109.02d1Organizational.4-02.d 01 Information Protection Program 0109.02d1Organizational.4-02.d 02.03 During Employment Shared n/a Management ensures users are (i) briefed on their security role(s)/responsibilities, conform with the terms and conditions of employment prior to obtaining access to the organization’s information systems; (ii) provided with guidelines regarding the security expectations of their roles; (iii) motivated to comply with security policies; and, (iv) continue to have the appropriate skills and qualifications for their role(s). 20
hipaa 1301.02e1Organizational.12-02.e hipaa-1301.02e1Organizational.12-02.e 1301.02e1Organizational.12-02.e 13 Education, Training and Awareness 1301.02e1Organizational.12-02.e 02.03 During Employment Shared n/a Employees and contractors receive documented initial (as part of their onboarding within 60 days of hire), annual, and ongoing training on their roles related to security and privacy. 17
hipaa 1310.01y1Organizational.9-01.y hipaa-1310.01y1Organizational.9-01.y 1310.01y1Organizational.9-01.y 13 Education, Training and Awareness 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking Shared n/a Personnel who telework are trained on the risks, the controls implemented, and their responsibilities. 10
hipaa 1336.02e1Organizational.5-02.e hipaa-1336.02e1Organizational.5-02.e 1336.02e1Organizational.5-02.e 13 Education, Training and Awareness 1336.02e1Organizational.5-02.e 02.03 During Employment Shared n/a The organization’s security awareness and training program (i) identifies how workforce members are provided security awareness and training, and the workforce members who will receive security awareness and training; (ii) describes the types of security awareness and training that is reasonable and appropriate for its workforce members; (iii) how workforce members are provided security and awareness training when there is a change in the organization’s information systems; and, (iv) how frequently security awareness and training is provided to all workforce members. 7
NIST_SP_800-53_R4 AT-3(3) NIST_SP_800-53_R4_AT-3(3) NIST SP 800-53 Rev. 4 AT-3 (3) Awareness And Training Practical Exercises Shared n/a The organization includes practical exercises in security training that reinforce training objectives. Supplemental Guidance: Practical exercises may include, for example, security training for software developers that includes simulated cyber attacks exploiting common software vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted at senior leaders/executives. These types of practical exercises help developers better understand the effects of such vulnerabilities and appreciate the need for security coding standards and processes. link 1
NIST_SP_800-53_R5 AT-3(3) NIST_SP_800-53_R5_AT-3(3) NIST SP 800-53 Rev. 5 AT-3 (3) Awareness and Training Practical Exercises Shared n/a Provide practical exercises in security and privacy training that reinforce training objectives. link 1
SOC_2 CC1.4 SOC_2_CC1.4 SOC 2 Type 2 CC1.4 Control Environment COSO Principle 4 Shared The customer is responsible for implementing this recommendation. Establishes Policies and Practices — Policies and practices reflect expectations of competence necessary to support the achievement of objectives. • Evaluates Competence and Addresses Shortcomings — The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings. • Attracts, Develops, and Retains Individuals — The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives. • Plans and Prepares for Succession — Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control. Additional point of focus specifically related to all engagements using the trust services criteria:Page 16 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS • Considers the Background of Individuals — The entity considers the background of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. • Considers the Technical Competency of Individuals — The entity considers the technical competency of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals. • Provides Training to Maintain Technical Competencies — The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained 5
SWIFT_CSCF_v2022 7.2 SWIFT_CSCF_v2022_7.2 SWIFT CSCF v2022 7.2 7. Plan for Incident Response and Information Sharing Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. Shared n/a Annual security awareness sessions are conducted for all staff members with access to SWIFT-related systems. All staff with privileged access maintain knowledge through specific training or learning activities when relevant or appropriate (at management’s discretion). link 11
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add d041726f-00e0-41ca-368c-b1a122066482
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC