last sync: 2024-Apr-24 17:46:58 UTC

Define information security roles and responsibilities | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Define information security roles and responsibilities
Id ef5a7059-6651-73b1-18b3-75b1b79c1565
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1565 - Define information security roles and responsibilities
Additional metadata Name/Id: CMA_C1565 / CMA_C1565
Category: Documentation
Title: Define information security roles and responsibilities
Ownership: Customer
Description: The customer is responsible for managing customer-deployed resources using a system development life cycle (SDLC) which identifies and documents information security roles and responsibilities.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 21 compliance controls are associated with this Policy definition 'Define information security roles and responsibilities' (ef5a7059-6651-73b1-18b3-75b1b79c1565)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-3 FedRAMP_High_R4_SA-3 FedRAMP High SA-3 System And Services Acquisition System Development Life Cycle Shared n/a The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations; b. Defines and documents information security roles and responsibilities throughout the system development life cycle; c. Identifies individuals having information security roles and responsibilities; and d. Integrates the organizational information security risk management process into system development life cycle activities. Supplemental Guidance: A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8. Control Enhancements: None. References: NIST Special Publications 800-37, 800-64. link 3
FedRAMP_Moderate_R4 SA-3 FedRAMP_Moderate_R4_SA-3 FedRAMP Moderate SA-3 System And Services Acquisition System Development Life Cycle Shared n/a The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations; b. Defines and documents information security roles and responsibilities throughout the system development life cycle; c. Identifies individuals having information security roles and responsibilities; and d. Integrates the organizational information security risk management process into system development life cycle activities. Supplemental Guidance: A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8. Control Enhancements: None. References: NIST Special Publications 800-37, 800-64. link 3
hipaa 0104.02a1Organizational.12-02.a hipaa-0104.02a1Organizational.12-02.a 0104.02a1Organizational.12-02.a 01 Information Protection Program 0104.02a1Organizational.12-02.a 02.01 Prior to Employment Shared n/a User security roles and responsibilities are clearly defined and communicated. 14
hipaa 0122.05a2Organizational.3-05.a hipaa-0122.05a2Organizational.3-05.a 0122.05a2Organizational.3-05.a 01 Information Protection Program 0122.05a2Organizational.3-05.a 05.01 Internal Organization Shared n/a The individual responsible for information security in the organization is qualified for the role. 6
hipaa 0702.07a1Organizational.3-07.a hipaa-0702.07a1Organizational.3-07.a 0702.07a1Organizational.3-07.a 07 Vulnerability Management 0702.07a1Organizational.3-07.a 07.01 Responsibility for Assets Shared n/a The information lifecycle manages the secure use, transfer, exchange, and disposal of IT-related assets. 2
hipaa 0705.07a3Organizational.3-07.a hipaa-0705.07a3Organizational.3-07.a 0705.07a3Organizational.3-07.a 07 Vulnerability Management 0705.07a3Organizational.3-07.a 07.01 Responsibility for Assets Shared n/a The IT Asset Lifecycle Program is regularly reviewed and updated. 3
hipaa 0706.10b1System.12-10.b hipaa-0706.10b1System.12-10.b 0706.10b1System.12-10.b 07 Vulnerability Management 0706.10b1System.12-10.b 10.02 Correct Processing in Applications Shared n/a Applications developed by the organization are based on secure coding guidelines to prevent common vulnerabilities or undergo appropriate testing. 4
hipaa 1780.10a1Organizational.1-10.a hipaa-1780.10a1Organizational.1-10.a 1780.10a1Organizational.1-10.a 17 Risk Management 1780.10a1Organizational.1-10.a 10.01 Security Requirements of Information Systems Shared n/a The organization formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance with system and information integrity requirements and facilitates the implementation of system and information integrity requirements/controls. 3
hipaa 1781.10a1Organizational.23-10.a hipaa-1781.10a1Organizational.23-10.a 1781.10a1Organizational.23-10.a 17 Risk Management 1781.10a1Organizational.23-10.a 10.01 Security Requirements of Information Systems Shared n/a Information system specifications for security control requirements state that security controls are to be incorporated in the information system, supplemented by manual controls as needed, and these considerations are also applied when evaluating software packages, developed or purchased. 4
hipaa 1786.10a1Organizational.9-10.a hipaa-1786.10a1Organizational.9-10.a 1786.10a1Organizational.9-10.a 17 Risk Management 1786.10a1Organizational.9-10.a 10.01 Security Requirements of Information Systems Shared n/a The organization requires developers of information systems, components, and developers or providers of services to identify (document) early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. 4
hipaa 1787.10a2Organizational.1-10.a hipaa-1787.10a2Organizational.1-10.a 1787.10a2Organizational.1-10.a 17 Risk Management 1787.10a2Organizational.1-10.a 10.01 Security Requirements of Information Systems Shared n/a Information security and privacy are addressed in all phases of the project management methodology. 5
hipaa 1789.10a2Organizational.3-10.a hipaa-1789.10a2Organizational.3-10.a 1789.10a2Organizational.3-10.a 17 Risk Management 1789.10a2Organizational.3-10.a 10.01 Security Requirements of Information Systems Shared n/a The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of security requirements and controls in developed and acquired information systems. 4
hipaa 1790.10a2Organizational.45-10.a hipaa-1790.10a2Organizational.45-10.a 1790.10a2Organizational.45-10.a 17 Risk Management 1790.10a2Organizational.45-10.a 10.01 Security Requirements of Information Systems Shared n/a The organization includes business requirements for the availability of information systems when specifying the security requirements; and, where availability cannot be guaranteed using existing architectures, redundant components or architectures are considered along with the risks associated with implementing such redundancies. 6
hipaa 1792.10a2Organizational.7814-10.a hipaa-1792.10a2Organizational.7814-10.a 1792.10a2Organizational.7814-10.a 17 Risk Management 1792.10a2Organizational.7814-10.a 10.01 Security Requirements of Information Systems Shared n/a Information security risk management is integrated into the SDLC, and information security roles and responsibilities are defined for all SDLC phases. 4
ISO27001-2013 A.14.1.1 ISO27001-2013_A.14.1.1 ISO 27001:2013 A.14.1.1 System Acquisition, Development And Maintenance Information security requirements analysis and specification Shared n/a The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. link 24
ISO27001-2013 A.14.2.1 ISO27001-2013_A.14.2.1 ISO 27001:2013 A.14.2.1 System Acquisition, Development And Maintenance Secure development policy Shared n/a Rules for the development of software and systems shall be established and applied to developments within the organization. link 7
ISO27001-2013 A.14.2.6 ISO27001-2013_A.14.2.6 ISO 27001:2013 A.14.2.6 System Acquisition, Development And Maintenance Secure development environment Shared n/a Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. link 10
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
ISO27001-2013 A.6.1.5 ISO27001-2013_A.6.1.5 ISO 27001:2013 A.6.1.5 Organization of Information Security Information security in project management Shared n/a Information security shall be addressed in project management, regardless of the type of the project. link 25
NIST_SP_800-53_R4 SA-3 NIST_SP_800-53_R4_SA-3 NIST SP 800-53 Rev. 4 SA-3 System And Services Acquisition System Development Life Cycle Shared n/a The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations; b. Defines and documents information security roles and responsibilities throughout the system development life cycle; c. Identifies individuals having information security roles and responsibilities; and d. Integrates the organizational information security risk management process into system development life cycle activities. Supplemental Guidance: A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8. Control Enhancements: None. References: NIST Special Publications 800-37, 800-64. link 3
NIST_SP_800-53_R5 SA-3 NIST_SP_800-53_R5_SA-3 NIST SP 800-53 Rev. 5 SA-3 System and Services Acquisition System Development Life Cycle Shared n/a a. Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle; c. Identify individuals having information security and privacy roles and responsibilities; and d. Integrate the organizational information security and privacy risk management process into system development life cycle activities. link 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add ef5a7059-6651-73b1-18b3-75b1b79c1565
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC