last sync: 2024-Oct-04 17:51:30 UTC

Manage the input, output, processing, and storage of data | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Manage the input, output, processing, and storage of data
Id e603da3a-8af7-4f8a-94cb-1bcc0e0333d2
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0369 - Manage the input, output, processing, and storage of data
Additional metadata Name/Id: CMA_0369 / CMA_0369
Category: Operational
Title: Manage the input, output, processing, and storage of data
Ownership: Customer
Description: Microsoft recommends that your organization manage the input, output, processing, and storage of data held by your organization and third parties. It is recommended to develop and document data integrity mechanisms, such as error checking and validation, to ensure and preserve the validity and accuracy of data throughout its life cycle. Your organization may validate data output from applications to verify that the processing of information that is stored is correct an appropriate. We recommend that your organization ensure data is processed to limit observability and linkability (e.g., data actions take place on local devices, privacy-preserving cryptography) and to limit formulation of inferences about individuals' behavior or activities (i.e., data processing is decentralized, distributed architectures). We also recommend that your organization establish a process to differentiate personal data based on facts from personal data based on personal assessments. It is recommended that your organization implement technical and organizational measures and safeguards to secure the database records. Microsoft recommends that your organization apply controls against unexpected modification to records stored within the database and perform integrity checks at regular intervals. It is recommended to ensure that systems are able to record the identity of users who input, modify, confirm or delete data, along with the date and time of such actions. We recommend that your organization use digital information from authorized sources only.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 45 compliance controls are associated with this Policy definition 'Manage the input, output, processing, and storage of data' (e603da3a-8af7-4f8a-94cb-1bcc0e0333d2)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.3.0 7.1 CIS_Azure_1.3.0_7.1 CIS Microsoft Azure Foundations Benchmark recommendation 7.1 7 Virtual Machines Ensure Virtual Machines are utilizing Managed Disks Shared The customer is responsible for implementing this recommendation. Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include 1) Default Disk Encryption 2) Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty 3) Reduction of costs over storage accounts link 4
CIS_Azure_1.4.0 7.1 CIS_Azure_1.4.0_7.1 CIS Microsoft Azure Foundations Benchmark recommendation 7.1 7 Virtual Machines Ensure Virtual Machines are utilizing Managed Disks Shared The customer is responsible for implementing this recommendation. Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include 1) Default Disk Encryption 2) Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty 3) Reduction of costs over storage accounts link 4
CIS_Azure_2.0.0 7.2 CIS_Azure_2.0.0_7.2 CIS Microsoft Azure Foundations Benchmark recommendation 7.2 7 Ensure Virtual Machines are utilizing Managed Disks Shared There are additional costs for managed disks based off of disk space allocated. When converting to managed disks, VMs will be powered off and back on. Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include: 1) Default Disk Encryption 2) Resilience, as Microsoft will managed the disk storage and move around if underlying hardware goes faulty 3) Reduction of costs over storage accounts Managed disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required. Managed disks are by design more resilient that storage accounts. For ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective. link 4
FedRAMP_High_R4 PE-5 FedRAMP_High_R4_PE-5 FedRAMP High PE-5 Physical And Environmental Protection Access Control For Output Devices Shared n/a The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18. References: None. link 3
FedRAMP_High_R4 SI-12 FedRAMP_High_R4_SI-12 FedRAMP High SI-12 System And Information Integrity Information Handling And Retention Shared n/a The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. Supplemental Guidance: Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4. Control Enhancements: None. References: None. link 3
FedRAMP_Moderate_R4 PE-5 FedRAMP_Moderate_R4_PE-5 FedRAMP Moderate PE-5 Physical And Environmental Protection Access Control For Output Devices Shared n/a The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18. References: None. link 3
FedRAMP_Moderate_R4 SI-12 FedRAMP_Moderate_R4_SI-12 FedRAMP Moderate SI-12 System And Information Integrity Information Handling And Retention Shared n/a The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. Supplemental Guidance: Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4. Control Enhancements: None. References: None. link 3
hipaa 11190.01t1Organizational.3-01.t hipaa-11190.01t1Organizational.3-01.t 11190.01t1Organizational.3-01.t 11 Access Control 11190.01t1Organizational.3-01.t 01.05 Operating System Access Control Shared n/a Bring your own device (BYOD) and/or company-owned devices are configured to require an automatic lockout screen, and the requirement is enforced through technical controls. 5
hipaa 1908.06.c1Organizational.4-06.c hipaa-1908.06.c1Organizational.4-06.c 1908.06.c1Organizational.4-06.c 19 Data Protection & Privacy 1908.06.c1Organizational.4-06.c 06.01 Compliance with Legal Requirements Shared n/a The organization documents and maintains (i) designated record sets that are subject to access by individuals, and (ii) titles of the persons or office responsible for receiving and processing requests for access by individuals as organizational records for a period of six years. 11
hipaa 19141.06c1Organizational.7-06.c hipaa-19141.06c1Organizational.7-06.c 19141.06c1Organizational.7-06.c 19 Data Protection & Privacy 19141.06c1Organizational.7-06.c 06.01 Compliance with Legal Requirements Shared n/a Important records, such as contracts, personnel records, financial information, client/customer information, etc., of the organization are protected from loss, destruction and falsification through the implementation of security controls such as access controls, encryption, backups, electronic signatures, locked facilities or containers, etc. 10
hipaa 19142.06c1Organizational.8-06.c hipaa-19142.06c1Organizational.8-06.c 19142.06c1Organizational.8-06.c 19 Data Protection & Privacy 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements Shared n/a Guidelines are issued by the organization on the ownership, classification, retention, storage, handling and disposal of all records and information. 9
hipaa 19144.06c2Organizational.1-06.c hipaa-19144.06c2Organizational.1-06.c 19144.06c2Organizational.1-06.c 19 Data Protection & Privacy 19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements Shared n/a The organization has established a formal records document retention program. 7
hipaa 19145.06c2Organizational.2-06.c hipaa-19145.06c2Organizational.2-06.c 19145.06c2Organizational.2-06.c 19 Data Protection & Privacy 19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements Shared n/a Specific controls for record storage, access, retention, and destruction have been implemented. 8
ISO27001-2013 A.11.1.2 ISO27001-2013_A.11.1.2 ISO 27001:2013 A.11.1.2 Physical And Environmental Security Physical entry controls Shared n/a Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. link 9
ISO27001-2013 A.11.2.3 ISO27001-2013_A.11.2.3 ISO 27001:2013 A.11.2.3 Physical And Environmental Security Cabling security Shared n/a Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. link 4
ISO27001-2013 A.18.1.3 ISO27001-2013_A.18.1.3 ISO 27001:2013 A.18.1.3 Compliance Protection of records Shared n/a Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislative, regulatory, contractual and business requirements. link 15
ISO27001-2013 A.18.1.4 ISO27001-2013_A.18.1.4 ISO 27001:2013 A.18.1.4 Compliance Privacy and protection of personally identifiable information Shared n/a Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. link 6
ISO27001-2013 A.8.2.2 ISO27001-2013_A.8.2.2 ISO 27001:2013 A.8.2.2 Asset Management Labelling of information Shared n/a An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 4
ISO27001-2013 A.8.2.3 ISO27001-2013_A.8.2.3 ISO 27001:2013 A.8.2.3 Asset Management Handling of assets Shared n/a Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. link 26
mp.if.1 Separate areas with access control mp.if.1 Separate areas with access control 404 not found n/a n/a 23
mp.if.2 Identification of persons mp.if.2 Identification of persons 404 not found n/a n/a 13
mp.if.3 Fitting-out of premises mp.if.3 Fitting-out of premises 404 not found n/a n/a 18
mp.if.4 Electrical energy mp.if.4 Electrical energy 404 not found n/a n/a 8
mp.if.7 Recording of entries and exits of equipment mp.if.7 Recording of entries and exits of equipment 404 not found n/a n/a 12
mp.info.1 Personal data mp.info.1 Personal data 404 not found n/a n/a 33
mp.info.2 Rating of information mp.info.2 Rating of information 404 not found n/a n/a 45
mp.info.5 Clean-up of documents mp.info.5 Clean-up of documents 404 not found n/a n/a 4
mp.si.1 Marking mp.si.1 Marking 404 not found n/a n/a 7
mp.si.4 Transport mp.si.4 Transport 404 not found n/a n/a 24
NIST_SP_800-53_R4 PE-5 NIST_SP_800-53_R4_PE-5 NIST SP 800-53 Rev. 4 PE-5 Physical And Environmental Protection Access Control For Output Devices Shared n/a The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18. References: None. link 3
NIST_SP_800-53_R4 SI-12 NIST_SP_800-53_R4_SI-12 NIST SP 800-53 Rev. 4 SI-12 System And Information Integrity Information Handling And Retention Shared n/a The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. Supplemental Guidance: Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4. Control Enhancements: None. References: None. link 3
NIST_SP_800-53_R5 PE-5 NIST_SP_800-53_R5_PE-5 NIST SP 800-53 Rev. 5 PE-5 Physical and Environmental Protection Access Control for Output Devices Shared n/a Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output. link 3
NIST_SP_800-53_R5 SI-12 NIST_SP_800-53_R5_SI-12 NIST SP 800-53 Rev. 5 SI-12 System and Information Integrity Information Management and Retention Shared n/a Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. link 3
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
PCI_DSS_v4.0 3.2.1 PCI_DSS_v4.0_3.2.1 PCI DSS v4.0 3.2.1 Requirement 03: Protect Stored Account Data Storage of account data is kept to a minimum Shared n/a Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: • Coverage for all locations of stored account data. • Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. • Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy. • A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. link 8
PCI_DSS_v4.0 9.5.1 PCI_DSS_v4.0_9.5.1 PCI DSS v4.0 9.5.1 Requirement 09: Restrict Physical Access to Cardholder Data Point of interaction (POI) devices are protected from tampering and unauthorized substitution Shared n/a POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution, including the following: • Maintaining a list of POI devices. • Periodically inspecting POI devices to look for tampering or unauthorized substitution. • Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices. link 3
PCI_DSS_v4.0 9.5.1.2 PCI_DSS_v4.0_9.5.1.2 PCI DSS v4.0 9.5.1.2 Requirement 09: Restrict Physical Access to Cardholder Data Point of interaction (POI) devices are protected from tampering and unauthorized substitution Shared n/a POI device surfaces are periodically inspected to detect tampering and unauthorized substitution. link 3
PCI_DSS_v4.0 9.5.1.2.1 PCI_DSS_v4.0_9.5.1.2.1 PCI DSS v4.0 9.5.1.2.1 Requirement 09: Restrict Physical Access to Cardholder Data Point of interaction (POI) devices are protected from tampering and unauthorized substitution Shared n/a The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. link 3
SOC_2 C1.1 SOC_2_C1.1 SOC 2 Type 2 C1.1 Additional Criteria For Confidentiality Protection of confidential information Shared The customer is responsible for implementing this recommendation. Identifies Confidential information — Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained. • Protects Confidential Information From Destruction — Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information. 3
SOC_2 C1.2 SOC_2_C1.2 SOC 2 Type 2 C1.2 Additional Criteria For Confidentiality Disposal of confidential information Shared The customer is responsible for implementing this recommendation. Identifies Confidential Information for Destruction — Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached. • Destroys Confidential Information — Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction 3
SOC_2 CC2.1 SOC_2_CC2.1 SOC 2 Type 2 CC2.1 Communication and Information COSO Principle 13 Shared The customer is responsible for implementing this recommendation. Identifies Information Requirements — A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives. • Captures Internal and External Sources of Data — Information systems capture internal and external sources of data. • Processes Relevant Data Into Information — Information systems process and transform relevant data into information. • Maintains Quality Throughout Processing — Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components. 3
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 78
SOC_2 PI1.3 SOC_2_PI1.3 SOC 2 Type 2 PI1.3 Additional Criteria For Processing Integrity System processing Shared The customer is responsible for implementing this recommendation. • Defines Processing Specifications — The processing specifications that are necessary to meet product or service requirements are defined. • Defines Processing Activities — Processing activities are defined to result in products or services that meet specifications. • Detects and Corrects Production Errors — Errors in the production process are detected and corrected in a timely manner. • Records System Processing Activities — System processing activities are recorded completely and accurately in a timely manner. • Processes Inputs — Inputs are processed completely, accurately, and timely as authorized in accordance with defined processing activities 5
SOC_2 PI1.4 SOC_2_PI1.4 SOC 2 Type 2 PI1.4 Additional Criteria For Processing Integrity System output is complete, accurate, and timely Shared The customer is responsible for implementing this recommendation. • Protects Output — Output is protected when stored or delivered, or both, to prevent theft, destruction, corruption, or deterioration that would prevent output from meeting specifications. • Distributes Output Only to Intended Parties — Output is distributed or made available only to intended parties. • Distributes Output Completely and Accurately — Procedures are in place to provide for the completeness, accuracy, and timeliness of distributed output. • Creates and Maintains Records of System Output Activities — Records of system output activities are created and maintained completely and accurately in a timely manner. 3
SOC_2 PI1.5 SOC_2_PI1.5 SOC 2 Type 2 PI1.5 Additional Criteria For Processing Integrity Store inputs and outputs completely, accurately, and timely Shared The customer is responsible for implementing this recommendation. • Protects Stored Items — Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications. • Archives and Protects System Records — System records are archived and archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used. • Stores Data Completely and Accurately — Procedures are in place to provide for the complete, accurate, and timely storage of data. • Creates and Maintains Records of System Storage Activities — Records of system storage activities are created and maintained completely and accurately in a timely manner 10
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add e603da3a-8af7-4f8a-94cb-1bcc0e0333d2
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC