last sync: 2024-Apr-24 17:46:58 UTC

Manage a secure surveillance camera system | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Manage a secure surveillance camera system
Id f2222056-062d-1060-6dc2-0107a68c34b2
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0354 - Manage a secure surveillance camera system
Additional metadata Name/Id: CMA_0354 / CMA_0354
Category: Operational
Title: Manage a secure surveillance camera system
Ownership: Customer
Description: Microsoft recommends that your organization implement a CCTV surveillance policy which may include the following: - Records all facility entry/exit points and restricted areas (e.g. server/machine room, etc.) - Review camera positioning and recordings to ensure adequate coverage, function, image quality, lighting conditions, and frame rate of surveillance footage - Restrict physical and/or logical access to the surveillance camera console and to camera equipment (e.g., DVRs, NVRs) to responsible personnel only - Ensure that camera footage includes an accurate date and timestamp - Retain camera surveillance footage and electronic access logs in secure location for maximum time allowed by law - Designate an employee or group of employees to monitor surveillance footage during operating hours and immediately investigate detected security incidents - Include a sign or another method of making the public aware that the facility is under video surveillance It is recommended to require approval for the use of surveillance cameras in places that are only frequented by a limited list of individuals and for such approval to be based on a valid need to implement the cameras. Your organization should also consider monitoring physical intrusion alarms and surveillance equipment. Microsoft recommends your organization maintain the records of video surveillance which include recording, date and time, name, domicile employment of the data subject and others related records.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
The following 15 compliance controls are associated with this Policy definition 'Manage a secure surveillance camera system' (f2222056-062d-1060-6dc2-0107a68c34b2)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PE-6(1) FedRAMP_High_R4_PE-6(1) FedRAMP High PE-6 (1) Physical And Environmental Protection Intrusion Alarms / Surveillance Equipment Shared n/a The organization monitors physical intrusion alarms and surveillance equipment. link 2
FedRAMP_Moderate_R4 PE-6(1) FedRAMP_Moderate_R4_PE-6(1) FedRAMP Moderate PE-6 (1) Physical And Environmental Protection Intrusion Alarms / Surveillance Equipment Shared n/a The organization monitors physical intrusion alarms and surveillance equipment. link 2
hipaa 0505.09m2Organizational.3-09.m hipaa-0505.09m2Organizational.3-09.m 0505.09m2Organizational.3-09.m 05 Wireless Security 0505.09m2Organizational.3-09.m 09.06 Network Security Management Shared n/a Quarterly scans are performed to identify unauthorized wireless access points, and appropriate action is taken if any unauthorized access points are discovered. 8
hipaa 1331.02e3Organizational.4-02.e hipaa-1331.02e3Organizational.4-02.e 1331.02e3Organizational.4-02.e 13 Education, Training and Awareness 1331.02e3Organizational.4-02.e 02.03 During Employment Shared n/a The organization trains workforce members on how to properly respond to perimeter security alarms. 6
hipaa 1812.08b3Organizational.46-08.b hipaa-1812.08b3Organizational.46-08.b 1812.08b3Organizational.46-08.b 18 Physical & Environmental Security 1812.08b3Organizational.46-08.b 08.01 Secure Areas Shared n/a Intrusion detection systems (e.g., alarms and surveillance equipment) are installed on all external doors and accessible windows, the systems are monitored, and incidents/alarms are investigated. 3
hipaa 1813.08b3Organizational.56-08.b hipaa-1813.08b3Organizational.56-08.b 1813.08b3Organizational.56-08.b 18 Physical & Environmental Security 1813.08b3Organizational.56-08.b 08.01 Secure Areas Shared n/a The organization actively monitors unoccupied areas at all times and sensitive and/or restricted areas in real time as appropriate for the area. 4
hipaa 18145.08b3Organizational.7-08.b hipaa-18145.08b3Organizational.7-08.b 18145.08b3Organizational.7-08.b 18 Physical & Environmental Security 18145.08b3Organizational.7-08.b 08.01 Secure Areas Shared n/a The organization regularly tests alarms to ensure proper operation. 2
hipaa 18146.08b3Organizational.8-08.b hipaa-18146.08b3Organizational.8-08.b 18146.08b3Organizational.8-08.b 18 Physical & Environmental Security 18146.08b3Organizational.8-08.b 08.01 Secure Areas Shared n/a The organization maintains an electronic log of alarm system events and regularly reviews the logs, no less than monthly. 4
hipaa 1816.08d2Organizational.4-08.d hipaa-1816.08d2Organizational.4-08.d 1816.08d2Organizational.4-08.d 18 Physical & Environmental Security 1816.08d2Organizational.4-08.d 08.01 Secure Areas Shared n/a Any security threats presented by neighboring premises are identified. 4
ISO27001-2013 A.11.1.1 ISO27001-2013_A.11.1.1 ISO 27001:2013 A.11.1.1 Physical And Environmental Security Physical security perimeter Shared n/a Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. link 8
ISO27001-2013 A.11.1.6 ISO27001-2013_A.11.1.6 ISO 27001:2013 A.11.1.6 Physical And Environmental Security Delivering and loading areas Shared n/a Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. link 5
NIST_SP_800-171_R2_3 .10.2 NIST_SP_800-171_R2_3.10.2 NIST SP 800-171 R2 3.10.2 Physical Protection Protect and monitor the physical facility and support infrastructure for organizational systems. Shared Microsoft is responsible for implementing this requirement. Monitoring of physical access includes publicly accessible areas within organizational facilities. This can be accomplished, for example, by the employment of guards; the use of sensor devices; or the use of video surveillance equipment such as cameras. Examples of support infrastructure include system distribution, transmission, and power lines. Security controls applied to the support infrastructure prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Physical access controls to support infrastructure include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors. link 2
NIST_SP_800-53_R4 PE-6(1) NIST_SP_800-53_R4_PE-6(1) NIST SP 800-53 Rev. 4 PE-6 (1) Physical And Environmental Protection Intrusion Alarms / Surveillance Equipment Shared n/a The organization monitors physical intrusion alarms and surveillance equipment. link 2
NIST_SP_800-53_R5 PE-6(1) NIST_SP_800-53_R5_PE-6(1) NIST SP 800-53 Rev. 5 PE-6 (1) Physical and Environmental Protection Intrusion Alarms and Surveillance Equipment Shared n/a Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment. link 2
SWIFT_CSCF_v2022 3.1 SWIFT_CSCF_v2022_3.1 SWIFT CSCF v2022 3.1 3. Physically Secure the Environment Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. Shared n/a Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage. link 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add f2222056-062d-1060-6dc2-0107a68c34b2
JSON compare
compare mode: version left: version right: