last sync: 2024-Apr-24 17:46:58 UTC

Check for privacy and security compliance before establishing internal connections | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Check for privacy and security compliance before establishing internal connections
Id ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0053 - Check for privacy and security compliance before establishing internal connections
Additional metadata Name/Id: CMA_0053 / CMA_0053
Category: Operational
Title: Check for privacy and security compliance before establishing internal connections
Ownership: Customer
Description: Microsoft recommends that your organization check for privacy and security compliance before establishing internal connections. These checks can be done on constituent system components and can include verifying baseline configurations. Your organization should consider documenting the interface characteristics, security requirements, and the nature of the information communicated for each internal connection.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 15 compliance controls are associated with this Policy definition 'Check for privacy and security compliance before establishing internal connections' (ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CA-9 FedRAMP_High_R4_CA-9 FedRAMP High CA-9 Security Assessment And Authorization Internal System Connections Shared n/a The organization: a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. Supplemental Guidance: This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. References: None. link 1
FedRAMP_Moderate_R4 CA-9 FedRAMP_Moderate_R4_CA-9 FedRAMP Moderate CA-9 Security Assessment And Authorization Internal System Connections Shared n/a The organization: a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. Supplemental Guidance: This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. References: None. link 1
hipaa 0819.09m1Organizational.23-09.m hipaa-0819.09m1Organizational.23-09.m 0819.09m1Organizational.23-09.m 08 Network Protection 0819.09m1Organizational.23-09.m 09.06 Network Security Management Shared n/a A current network diagram (including wireless networks) exists, and is updated whenever there are network changes and no less than every six months. 2
hipaa 0836.09.n2Organizational.1-09.n hipaa-0836.09.n2Organizational.1-09.n 0836.09.n2Organizational.1-09.n 08 Network Protection 0836.09.n2Organizational.1-09.n 09.06 Network Security Management Shared n/a The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization. 4
hipaa 0863.09m2Organizational.910-09.m hipaa-0863.09m2Organizational.910-09.m 0863.09m2Organizational.910-09.m 08 Network Protection 0863.09m2Organizational.910-09.m 09.06 Network Security Management Shared n/a The organization builds a firewall configuration that restricts connections between untrusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. 25
hipaa 0865.09m2Organizational.13-09.m hipaa-0865.09m2Organizational.13-09.m 0865.09m2Organizational.13-09.m 08 Network Protection 0865.09m2Organizational.13-09.m 09.06 Network Security Management Shared n/a The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny-all, permit-by-exception policy for allowing connections from the information system to other information systems outside of the organization; and, (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. 5
ISO27001-2013 A.12.4.1 ISO27001-2013_A.12.4.1 ISO 27001:2013 A.12.4.1 Operations Security Event Logging Shared n/a Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. link 53
ISO27001-2013 A.12.4.3 ISO27001-2013_A.12.4.3 ISO 27001:2013 A.12.4.3 Operations Security Administrator and operator logs Shared n/a System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. link 29
ISO27001-2013 A.15.1.2 ISO27001-2013_A.15.1.2 ISO 27001:2013 A.15.1.2 Supplier Relationships Addressing security within supplier agreement Shared n/a All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. link 24
ISO27001-2013 A.16.1.7 ISO27001-2013_A.16.1.7 ISO 27001:2013 A.16.1.7 Information Security Incident Management Collection of evidence Shared n/a The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information which can serve as evidence. link 7
ISO27001-2013 A.18.2.2 ISO27001-2013_A.18.2.2 ISO 27001:2013 A.18.2.2 Compliance Compliance with security policies and standards Shared n/a Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. link 36
NIST_SP_800-53_R4 CA-9 NIST_SP_800-53_R4_CA-9 NIST SP 800-53 Rev. 4 CA-9 Security Assessment And Authorization Internal System Connections Shared n/a The organization: a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. Supplemental Guidance: This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4. References: None. link 1
NIST_SP_800-53_R5 CA-9 NIST_SP_800-53_R5_CA-9 NIST SP 800-53 Rev. 5 CA-9 Assessment, Authorization, and Monitoring Internal System Connections Shared n/a a. Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c. Terminate internal system connections after [Assignment: organization-defined conditions]; and d. Review [Assignment: organization-defined frequency] the continued need for each internal connection. link 1
PCI_DSS_v4.0 1.2.3 PCI_DSS_v4.0_1.2.3 PCI DSS v4.0 1.2.3 Requirement 01: Install and Maintain Network Security Controls Network security controls (NSCs) are configured and maintained Shared n/a An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks. link 1
SWIFT_CSCF_v2022 1.1 SWIFT_CSCF_v2022_1.1 SWIFT CSCF v2022 1.1 1. Restrict Internet Access & Protect Critical Systems from General IT Environment Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. Shared n/a A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. link 22
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC