last sync: 2024-Feb-21 20:03:25 UTC

Verify security controls for external information systems | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Verify security controls for external information systems
Id dc7ec756-221c-33c8-0afe-c48e10e42321
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0541 - Verify security controls for external information systems
Additional metadata Name/Id: CMA_0541 / CMA_0541
Category: Operational
Title: Verify security controls for external information systems
Ownership: Customer
Description: Microsoft recommends that your organization verify the implementation of required security controls on any external systems as specified in your organization's information security policy or security plan, prior to authorizing individuals to use an external information system. Your organization should consider creating and maintaining Access Control policies and standard operating procedures that include details about the processes used to verify the implementation of required security controls on external information systems. It is recommended that the policies and standards include guidance on when third-party authorized individuals may access the information system or to process, store, or transmit organization-controlled information. It is recommended that these policies and procedures are regularly reviewed and updated and include the requirements for protecting controlled unclassified information. Additionally, Microsoft recommends that organizations processing personal health information carry out suitable tests of the system (Clinical users for clinically relevant system features) and establish acceptance criteria.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 8 compliance controls are associated with this Policy definition 'Verify security controls for external information systems' (dc7ec756-221c-33c8-0afe-c48e10e42321)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AC-20(1) FedRAMP_High_R4_AC-20(1) FedRAMP High AC-20 (1) Access Control Limits On Authorized Use Shared n/a The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: (a) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or (b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. Supplemental Guidance: This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. link 1
FedRAMP_Moderate_R4 AC-20(1) FedRAMP_Moderate_R4_AC-20(1) FedRAMP Moderate AC-20 (1) Access Control Limits On Authorized Use Shared n/a The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: (a) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or (b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. Supplemental Guidance: This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. link 1
hipaa 1423.05j2Organizational.4-05.j hipaa-1423.05j2Organizational.4-05.j 1423.05j2Organizational.4-05.j 14 Third Party Assurance 1423.05j2Organizational.4-05.j 05.02 External Parties Shared n/a For all system connections that allow customers to access the organization's computing assets such as websites, kiosks, and public access terminals, the organization provides appropriate text or a link to the organization's privacy policy for data use and protection as well as the customer's responsibilities when accessing the data. 9
ISO27001-2013 A.11.2.6 ISO27001-2013_A.11.2.6 ISO 27001:2013 A.11.2.6 Physical And Environmental Security Security of equipment and assets off-premises Shared n/a Security shall be applied to off-site assets taking into account the different risks of working outside the organization's premises. link 10
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.13.2.1 ISO27001-2013_A.13.2.1 ISO 27001:2013 A.13.2.1 Communications Security Information transfer policies and procedures Shared n/a Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. link 32
NIST_SP_800-53_R4 AC-20(1) NIST_SP_800-53_R4_AC-20(1) NIST SP 800-53 Rev. 4 AC-20 (1) Access Control Limits On Authorized Use Shared n/a The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: (a) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or (b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. Supplemental Guidance: This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. link 1
NIST_SP_800-53_R5 AC-20(1) NIST_SP_800-53_R5_AC-20(1) NIST SP 800-53 Rev. 5 AC-20 (1) Access Control Limits on Authorized Use Shared n/a Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: (a) Verification of the implementation of controls on the external system as specified in the organization???s security and privacy policies and security and privacy plans; or (b) Retention of approved system connection or processing agreements with the organizational entity hosting the external system. link 1
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add dc7ec756-221c-33c8-0afe-c48e10e42321
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC