last sync: 2024-Oct-11 17:51:27 UTC

Provide contingency training | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Provide contingency training
Id de936662-13dc-204c-75ec-1af80f994088
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0412 - Provide contingency training
Additional metadata Name/Id: CMA_0412 / CMA_0412
Category: Operational
Title: Provide contingency training
Ownership: Customer
Description: Microsoft recommends that your organization provide regular training to personnel on contingency planning. It is also recommended to provide contingency training to information system users consistent with assigned roles and responsibilities within a defined time period and when required by information system changes. Your organization can incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. The Minimum Acceptable Risk Standards for Exchanges (MARS-E) 2.0 framework requires your organization to provide the training to personnel within 90 days of assuming contingency roles and responsibilities. Your organization should consider creating and maintaining Security Awareness and Training policies and standard operating procedures that provide your personnel with requirements for contingency and other training.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 21 compliance controls are associated with this Policy definition 'Provide contingency training' (de936662-13dc-204c-75ec-1af80f994088)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CP-3 FedRAMP_High_R4_CP-3 FedRAMP High CP-3 Contingency Planning Contingency Training Shared n/a The organization provides contingency training to information system users consistent with assigned roles and responsibilities: a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter. Supplemental Guidance: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50. link 1
FedRAMP_Moderate_R4 CP-3 FedRAMP_Moderate_R4_CP-3 FedRAMP Moderate CP-3 Contingency Planning Contingency Training Shared n/a The organization provides contingency training to information system users consistent with assigned roles and responsibilities: a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter. Supplemental Guidance: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50. link 1
hipaa 1304.02e3Organizational.1-02.e hipaa-1304.02e3Organizational.1-02.e 1304.02e3Organizational.1-02.e 13 Education, Training and Awareness 1304.02e3Organizational.1-02.e 02.03 During Employment Shared n/a Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities: (i) prior to being granted access to the organization’s systems and resources; (ii) when required by system changes; (iii) when entering into a new position that requires additional training; and, (iv) no less than annually thereafter. 9
hipaa 1311.12c2Organizational.3-12.c hipaa-1311.12c2Organizational.3-12.c 1311.12c2Organizational.3-12.c 13 Education, Training and Awareness 1311.12c2Organizational.3-12.c 12.01 Information Security Aspects of Business Continuity Management Shared n/a The organization’s employees are provided with crisis management awareness and training. 3
hipaa 1313.02e1Organizational.3-02.e hipaa-1313.02e1Organizational.3-02.e 1313.02e1Organizational.3-02.e 13 Education, Training and Awareness 1313.02e1Organizational.3-02.e 02.03 During Employment Shared n/a The organization provides incident response and contingency training to information system users consistent with assigned roles and responsibilities within 90 days of assuming an incident response role or responsibility; when required by information system changes; and within every 365 days thereafter. 3
hipaa 1669.12d1Organizational.8-12.d hipaa-1669.12d1Organizational.8-12.d 1669.12d1Organizational.8-12.d 16 Business Continuity & Disaster Recovery 1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management Shared n/a The business continuity planning framework addresses a specific, minimal set of information security requirements. 6
ISO27001-2013 A.7.2.2 ISO27001-2013_A.7.2.2 ISO 27001:2013 A.7.2.2 Human Resources Security Information security awareness, education and training Shared n/a All employees of the organization and, where relevant, contractors shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. link 15
mp.eq.3 Protection of portable devices mp.eq.3 Protection of portable devices 404 not found n/a n/a 71
mp.per.1 Job characterization mp.per.1 Job characterization 404 not found n/a n/a 41
mp.per.3 Awareness mp.per.3 Awareness 404 not found n/a n/a 15
mp.per.4 Training mp.per.4 Training 404 not found n/a n/a 14
mp.s.1 E-mail protection mp.s.1 E-mail protection 404 not found n/a n/a 48
mp.s.3 Protection of web browsing mp.s.3 Protection of web browsing 404 not found n/a n/a 51
mp.si.3 Custody mp.si.3 Custody 404 not found n/a n/a 27
NIST_SP_800-53_R4 CP-3 NIST_SP_800-53_R4_CP-3 NIST SP 800-53 Rev. 4 CP-3 Contingency Planning Contingency Training Shared n/a The organization provides contingency training to information system users consistent with assigned roles and responsibilities: a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter. Supplemental Guidance: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles/responsibilities reflects the specific continuity requirements in the contingency plan. Related controls: AT-2, AT-3, CP-2, IR-2. References: Federal Continuity Directive 1; NIST Special Publications 800-16, 800-50. link 1
NIST_SP_800-53_R5 CP-3 NIST_SP_800-53_R5_CP-3 NIST SP 800-53 Rev. 5 CP-3 Contingency Planning Contingency Training Shared n/a a. Provide contingency training to system users consistent with assigned roles and responsibilities: 1. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility; 2. When required by system changes; and 3. [Assignment: organization-defined frequency] thereafter; and b. Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. link 1
op.cont.1 Impact analysis op.cont.1 Impact analysis 404 not found n/a n/a 68
op.cont.2 Continuity plan op.cont.2 Continuity plan 404 not found n/a n/a 68
op.cont.3 Periodic tests op.cont.3 Periodic tests 404 not found n/a n/a 91
op.cont.4 Alternative means op.cont.4 Alternative means 404 not found n/a n/a 95
SWIFT_CSCF_v2022 9.1 SWIFT_CSCF_v2022_9.1 SWIFT CSCF v2022 9.1 9. Ensure Availability through Resilience Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. Shared n/a Providers must ensure that the service remains available for customers in the event of a local disturbance or malfunction. link 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add de936662-13dc-204c-75ec-1af80f994088
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC