last sync: 2024-Oct-10 19:12:06 UTC

Provide updated security awareness training | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Provide updated security awareness training
Id d136ae80-54dd-321c-98b4-17acf4af2169
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1090 - Provide updated security awareness training
Additional metadata Name/Id: CMA_C1090 / CMA_C1090
Category: Operational
Title: Provide updated security awareness training
Ownership: Customer
Description: The customer is responsible for providing updated basic security awareness training to all users when required by changes to customer-deployed resources.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 23 compliance controls are associated with this Policy definition 'Provide updated security awareness training' (d136ae80-54dd-321c-98b4-17acf4af2169)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AT-2 FedRAMP_High_R4_AT-2 FedRAMP High AT-2 Awareness And Training Security Awareness Training Shared n/a The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): a. As part of initial training for new users; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter. Supplemental Guidance: Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4. References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); Executive Order 13587; NIST Special Publication 800-50. link 3
FedRAMP_Moderate_R4 AT-2 FedRAMP_Moderate_R4_AT-2 FedRAMP Moderate AT-2 Awareness And Training Security Awareness Training Shared n/a The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): a. As part of initial training for new users; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter. Supplemental Guidance: Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4. References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); Executive Order 13587; NIST Special Publication 800-50. link 3
hipaa 0109.02d1Organizational.4-02.d hipaa-0109.02d1Organizational.4-02.d 0109.02d1Organizational.4-02.d 01 Information Protection Program 0109.02d1Organizational.4-02.d 02.03 During Employment Shared n/a Management ensures users are (i) briefed on their security role(s)/responsibilities, conform with the terms and conditions of employment prior to obtaining access to the organization’s information systems; (ii) provided with guidelines regarding the security expectations of their roles; (iii) motivated to comply with security policies; and, (iv) continue to have the appropriate skills and qualifications for their role(s). 20
hipaa 0111.02d2Organizational.2-02.d hipaa-0111.02d2Organizational.2-02.d 0111.02d2Organizational.2-02.d 01 Information Protection Program 0111.02d2Organizational.2-02.d 02.03 During Employment Shared n/a Non-employees are provided the organization's data privacy and security policy requirements prior to accessing system resources and data. 9
hipaa 0214.09j1Organizational.6-09.j hipaa-0214.09j1Organizational.6-09.j 0214.09j1Organizational.6-09.j 02 Endpoint Protection 0214.09j1Organizational.6-09.j 09.04 Protection Against Malicious and Mobile Code Shared n/a Protection against malicious code is based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls. 13
hipaa 1109.01b1System.479-01.b hipaa-1109.01b1System.479-01.b 1109.01b1System.479-01.b 11 Access Control 1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems Shared n/a User registration and deregistration, at a minimum: (i) communicates relevant policies to users and require acknowledgement (e.g., signed or captured electronically); (ii) checks authorization and minimum level of access necessary prior to granting access; (iii) ensures access is appropriate to the business needs (consistent with sensitivity/risk and does not violate segregation of duties requirements); (iv) addresses termination and transfer; (v) ensures default accounts are removed and/or renamed; (vi) removes or blocks critical access rights of users who have changed roles or jobs; and, (vii) automatically removes or disables inactive accounts. 24
hipaa 11220.01b1System.10-01.b hipaa-11220.01b1System.10-01.b 11220.01b1System.10-01.b 11 Access Control 11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems Shared n/a User registration and de-registration formally address establishing, activating, modifying, reviewing, disabling and removing accounts. 26
hipaa 1301.02e1Organizational.12-02.e hipaa-1301.02e1Organizational.12-02.e 1301.02e1Organizational.12-02.e 13 Education, Training and Awareness 1301.02e1Organizational.12-02.e 02.03 During Employment Shared n/a Employees and contractors receive documented initial (as part of their onboarding within 60 days of hire), annual, and ongoing training on their roles related to security and privacy. 17
hipaa 1302.02e2Organizational.134-02.e hipaa-1302.02e2Organizational.134-02.e 1302.02e2Organizational.134-02.e 13 Education, Training and Awareness 1302.02e2Organizational.134-02.e 02.03 During Employment Shared n/a Dedicated security and privacy awareness training is developed as part of the organization's onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat. 19
hipaa 1308.09j1Organizational.5-09.j hipaa-1308.09j1Organizational.5-09.j 1308.09j1Organizational.5-09.j 13 Education, Training and Awareness 1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code Shared n/a The organization prohibits users from installing unauthorized software, including data and software from external networks, and ensures users are made aware and trained on these requirements. 12
hipaa 1309.01x1System.36-01.x hipaa-1309.01x1System.36-01.x 1309.01x1System.36-01.x 13 Education, Training and Awareness 1309.01x1System.36-01.x 01.07 Mobile Computing and Teleworking Shared n/a Personnel using mobile computing devices are trained on the risks, the controls implemented, and their responsibilities (e.g., shoulder surfing, physical protections). 6
hipaa 1310.01y1Organizational.9-01.y hipaa-1310.01y1Organizational.9-01.y 1310.01y1Organizational.9-01.y 13 Education, Training and Awareness 1310.01y1Organizational.9-01.y 01.07 Mobile Computing and Teleworking Shared n/a Personnel who telework are trained on the risks, the controls implemented, and their responsibilities. 10
hipaa 1325.09s1Organizational.3-09.s hipaa-1325.09s1Organizational.3-09.s 1325.09s1Organizational.3-09.s 13 Education, Training and Awareness 1325.09s1Organizational.3-09.s 09.08 Exchange of Information Shared n/a Personnel are appropriately trained on leading principles and practices for all types of information exchange (oral, paper and electronic). 11
hipaa 1327.02e2Organizational.8-02.e hipaa-1327.02e2Organizational.8-02.e 1327.02e2Organizational.8-02.e 13 Education, Training and Awareness 1327.02e2Organizational.8-02.e 02.03 During Employment Shared n/a The organization trains its workforce to ensure covered information is stored in organization-specified locations. 5
hipaa 1334.02e2Organizational.12-02.e hipaa-1334.02e2Organizational.12-02.e 1334.02e2Organizational.12-02.e 13 Education, Training and Awareness 1334.02e2Organizational.12-02.e 02.03 During Employment Shared n/a The organization ensures that the senior executives have been trained in their specific roles and responsibilities. 4
hipaa 1336.02e1Organizational.5-02.e hipaa-1336.02e1Organizational.5-02.e 1336.02e1Organizational.5-02.e 13 Education, Training and Awareness 1336.02e1Organizational.5-02.e 02.03 During Employment Shared n/a The organization’s security awareness and training program (i) identifies how workforce members are provided security awareness and training, and the workforce members who will receive security awareness and training; (ii) describes the types of security awareness and training that is reasonable and appropriate for its workforce members; (iii) how workforce members are provided security and awareness training when there is a change in the organization’s information systems; and, (iv) how frequently security awareness and training is provided to all workforce members. 7
ISO27001-2013 A.12.2.1 ISO27001-2013_A.12.2.1 ISO 27001:2013 A.12.2.1 Operations Security Controls against malware Shared n/a Detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. link 12
ISO27001-2013 A.7.2.2 ISO27001-2013_A.7.2.2 ISO 27001:2013 A.7.2.2 Human Resources Security Information security awareness, education and training Shared n/a All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. link 15
NIST_SP_800-53_R4 AT-2 NIST_SP_800-53_R4_AT-2 NIST SP 800-53 Rev. 4 AT-2 Awareness And Training Security Awareness Training Shared n/a The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): a. As part of initial training for new users; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter. Supplemental Guidance: Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4. References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); Executive Order 13587; NIST Special Publication 800-50. link 3
NIST_SP_800-53_R5 AT-2 NIST_SP_800-53_R5_AT-2 NIST SP 800-53 Rev. 5 AT-2 Awareness and Training Literacy Training and Awareness Shared n/a a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): 1. As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and 2. When required by system changes or following [Assignment: organization-defined events]; b. Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; c. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and d. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques. link 3
PCI_DSS_v4.0 12.6.2 PCI_DSS_v4.0_12.6.2 PCI DSS v4.0 12.6.2 Requirement 12: Support Information Security with Organizational Policies and Programs Security awareness education is an ongoing activity Shared n/a The security awareness program is: • Reviewed at least once every 12 months, and • Updated as needed to address any new threats and vulnerabilities that may impact the security of the entity’s CDE, or the information provided to personnel about their role in protecting cardholder data. link 1
PCI_DSS_v4.0 12.6.3 PCI_DSS_v4.0_12.6.3 PCI DSS v4.0 12.6.3 Requirement 12: Support Information Security with Organizational Policies and Programs Security awareness education is an ongoing activity Shared n/a Personnel receive security awareness training as follows: • Upon hire and at least once every 12 months. • Multiple methods of communication are used. • Personnel acknowledge at least once every 12 months that they have read and understood the information security policy and procedures. link 8
SWIFT_CSCF_v2022 7.2 SWIFT_CSCF_v2022_7.2 SWIFT CSCF v2022 7.2 7. Plan for Incident Response and Information Sharing Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities, and maintain security knowledge of staff with privileged access. Shared n/a Annual security awareness sessions are conducted for all staff members with access to SWIFT-related systems. All staff with privileged access maintain knowledge through specific training or learning activities when relevant or appropriate (at management’s discretion). link 11
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add d136ae80-54dd-321c-98b4-17acf4af2169
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC