last sync: 2024-Oct-11 17:51:27 UTC

Implement personnel screening | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Implement personnel screening
Id e0c480bf-0d68-a42d-4cbb-b60f851f8716
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0322 - Implement personnel screening
Additional metadata Name/Id: CMA_0322 / CMA_0322
Category: Operational
Title: Implement personnel screening
Ownership: Customer
Description: Microsoft recommends that your organization implement a process for screening personnel before authorizing their access to information systems and organizational assets. Your organization can perform comprehensive screening of credentials, qualifications, background checks, and reference checking to determine personnel are qualified for the assigned role. Specific roles such as those related to information security and system development may require additional screening and verification of credentials in order to ensure the individual can protect confidentiality of information. Your organization should consider creating and maintaining Personnel Security policies and standard operating procedures to ensure that personnel screening occurs prior to authorizing access to information systems and organizational assets.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 12 compliance controls are associated with this Policy definition 'Implement personnel screening' (e0c480bf-0d68-a42d-4cbb-b60f851f8716)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PS-3 FedRAMP_High_R4_PS-3 FedRAMP High PS-3 Personnel Security Personnel Screening Shared n/a The organization: a. Screens individuals prior to authorizing access to the information system; and b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]. Supplemental Guidance: Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. References: 5 C.F.R. 731.106; FIPS Publications 199, 201; NIST Special Publications 800-60, 800-73, 800-76, 800-78; ICD 704. link 3
FedRAMP_Moderate_R4 PS-3 FedRAMP_Moderate_R4_PS-3 FedRAMP Moderate PS-3 Personnel Security Personnel Screening Shared n/a The organization: a. Screens individuals prior to authorizing access to the information system; and b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]. Supplemental Guidance: Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. References: 5 C.F.R. 731.106; FIPS Publications 199, 201; NIST Special Publications 800-60, 800-73, 800-76, 800-78; ICD 704. link 3
hipaa 0105.02a2Organizational.1-02.a hipaa-0105.02a2Organizational.1-02.a 0105.02a2Organizational.1-02.a 01 Information Protection Program 0105.02a2Organizational.1-02.a 02.01 Prior to Employment Shared n/a Risk designations are assigned for all positions within the organization as appropriate, with commensurate screening criteria, and reviewed/revised every 365 days. 6
hipaa 0106.02a2Organizational.23-02.a hipaa-0106.02a2Organizational.23-02.a 0106.02a2Organizational.23-02.a 01 Information Protection Program 0106.02a2Organizational.23-02.a 02.01 Prior to Employment Shared n/a The pre-employment process is reviewed by recruitment to ensure security roles/responsibilities are specifically defined (in writing) and clearly communicated to job candidates. 4
hipaa 1432.05k1Organizational.89-05.k hipaa-1432.05k1Organizational.89-05.k 1432.05k1Organizational.89-05.k 14 Third Party Assurance 1432.05k1Organizational.89-05.k 05.02 External Parties Shared n/a The organization ensures a screening process is carried out for contractors and third-party users, and, where contractors are provided through an organization, the contract with the organization clearly specifies (i) the organization's responsibilities for screening and the notification procedures they need to follow if screening has not been completed, or if the results give cause for doubt or concern; and, (ii) all responsibilities and notification procedures for screening. 7
ISO27001-2013 A.7.1.1 ISO27001-2013_A.7.1.1 ISO 27001:2013 A.7.1.1 Human Resources Security Screening Shared n/a Background verification checks for all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. link 3
mp.per.1 Job characterization mp.per.1 Job characterization 404 not found n/a n/a 41
NIST_SP_800-171_R2_3 .9.1 NIST_SP_800-171_R2_3.9.1 NIST SP 800-171 R2 3.9.1 Personnel Security Screen individuals prior to authorizing access to organizational systems containing CUI. Shared Microsoft and the customer share responsibilities for implementing this requirement. Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions. link 2
NIST_SP_800-53_R4 PS-3 NIST_SP_800-53_R4_PS-3 NIST SP 800-53 Rev. 4 PS-3 Personnel Security Personnel Screening Shared n/a The organization: a. Screens individuals prior to authorizing access to the information system; and b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]. Supplemental Guidance: Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2. References: 5 C.F.R. 731.106; FIPS Publications 199, 201; NIST Special Publications 800-60, 800-73, 800-76, 800-78; ICD 704. link 3
NIST_SP_800-53_R5 PS-3 NIST_SP_800-53_R5_PS-3 NIST SP 800-53 Rev. 5 PS-3 Personnel Security Personnel Screening Shared n/a a. Screen individuals prior to authorizing access to the system; and b. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening]. link 3
PCI_DSS_v4.0 12.7.1 PCI_DSS_v4.0_12.7.1 PCI DSS v4.0 12.7.1 Requirement 12: Support Information Security with Organizational Policies and Programs Personnel are screened to reduce risks from insider threats Shared n/a Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources. link 3
SWIFT_CSCF_v2022 5.3A SWIFT_CSCF_v2022_5.3A SWIFT CSCF v2022 5.3A 5. Manage Identities and Segregate Privileges To the extent permitted and practicable, ensure the trustworthiness of staff operating the local SWIFT environment by performing regular staff screening. Shared n/a Staff operating the local SWIFT infrastructure are screened prior to initial appointment in that role and periodically thereafter. link 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add e0c480bf-0d68-a42d-4cbb-b60f851f8716
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC