last sync: 2024-Oct-10 19:12:06 UTC

Select additional testing for security control assessments | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Select additional testing for security control assessments
Id f78fc35e-1268-0bca-a798-afcba9d2330a
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1149 - Select additional testing for security control assessments
Additional metadata Name/Id: CMA_C1149 / CMA_C1149
Category: Documentation
Title: Select additional testing for security control assessments
Ownership: Customer
Description: The customer is responsible for the selection of additional testing to be included as part of security control assessments.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 14 compliance controls are associated with this Policy definition 'Select additional testing for security control assessments' (f78fc35e-1268-0bca-a798-afcba9d2330a)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CA-2(2) FedRAMP_High_R4_CA-2(2) FedRAMP High CA-2 (2) Security Assessment And Authorization Specialized Assessments Shared n/a The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. Supplemental Guidance: Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. link 1
FedRAMP_Moderate_R4 CA-2(2) FedRAMP_Moderate_R4_CA-2(2) FedRAMP Moderate CA-2 (2) Security Assessment And Authorization Specialized Assessments Shared n/a The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. Supplemental Guidance: Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. link 1
hipaa 0177.05h1Organizational.12-05.h hipaa-0177.05h1Organizational.12-05.h 0177.05h1Organizational.12-05.h 01 Information Protection Program 0177.05h1Organizational.12-05.h 05.01 Internal Organization Shared n/a An independent review of the organization's information security management program is initiated by management to ensure the continuing suitability, adequacy, and effectiveness of the organization's approach to managing information security. 5
hipaa 0614.06h2Organizational.12-06.h hipaa-0614.06h2Organizational.12-06.h 0614.06h2Organizational.12-06.h 06 Configuration Management 0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance Shared n/a Technical compliance checks are performed by an experienced specialist with the assistance of industry standard automated tools, which generate a technical report for subsequent interpretation. These checks are performed annually, but more frequently where needed, based on risk as part of an official risk assessment process. 6
hipaa 0662.09sCSPOrganizational.2-09.s hipaa-0662.09sCSPOrganizational.2-09.s 0662.09sCSPOrganizational.2-09.s 06 Configuration Management 0662.09sCSPOrganizational.2-09.s 09.08 Exchange of Information Shared n/a Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats (e.g., Open Virtualization Format, OVF) to help ensure interoperability, and has documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review. 3
hipaa 0709.10m1Organizational.1-10.m hipaa-0709.10m1Organizational.1-10.m 0709.10m1Organizational.1-10.m 07 Vulnerability Management 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management Shared n/a Technical vulnerabilities are identified, evaluated for risk, and corrected in a timely manner. 11
hipaa 0712.10m2Organizational.4-10.m hipaa-0712.10m2Organizational.4-10.m 0712.10m2Organizational.4-10.m 07 Vulnerability Management 0712.10m2Organizational.4-10.m 10.06 Technical Vulnerability Management Shared n/a Internal and external vulnerability assessments of covered information systems, virtualized environments, and networked environments, including both network- and application-layer tests, are performed by a qualified individual on a quarterly basis or after significant changes. 2
hipaa 12102.09ab1Organizational.4-09.ab hipaa-12102.09ab1Organizational.4-09.ab 12102.09ab1Organizational.4-09.ab 12 Audit Logging & Monitoring 12102.09ab1Organizational.4-09.ab 09.10 Monitoring Shared n/a The organization periodically tests its monitoring and detection processes, remediates deficiencies, and improves its processes. 7
ISO27001-2013 A.12.6.1 ISO27001-2013_A.12.6.1 ISO 27001:2013 A.12.6.1 Operations Security Management of technical vulnerabilities Shared n/a Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. link 12
mp.sw.2 Acceptance and commissioning mp.sw.2 Acceptance and commissioning 404 not found n/a n/a 60
NIST_SP_800-53_R4 CA-2(2) NIST_SP_800-53_R4_CA-2(2) NIST SP 800-53 Rev. 4 CA-2 (2) Security Assessment And Authorization Specialized Assessments Shared n/a The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. Supplemental Guidance: Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. link 1
NIST_SP_800-53_R5 CA-2(2) NIST_SP_800-53_R5_CA-2(2) NIST SP 800-53 Rev. 5 CA-2 (2) Assessment, Authorization, and Monitoring Specialized Assessments Shared n/a Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced;unannounced] , [Selection (OneOrMore): in-depth monitoring;security instrumentation;automated security test cases;vulnerability scanning;malicious user testing;insider threat assessment;performance and load testing;data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment] ] . link 1
PCI_DSS_v4.0 12.4.2 PCI_DSS_v4.0_12.4.2 PCI DSS v4.0 12.4.2 Requirement 12: Support Information Security with Organizational Policies and Programs PCI DSS compliance is managed Shared n/a Reviews are performed at least once every three months, by personnel other than those responsible for performing the given task to confirm personnel are performing their tasks, in accordance with all security policies and all operational procedures, including but not limited to the following tasks: • Daily log reviews. • Configuration reviews for network security controls. • Applying configuration standards to new systems. • Responding to security alerts. • Change-management processes. link 6
SOC_2 CC4.1 SOC_2_CC4.1 SOC 2 Type 2 CC4.1 Monitoring Activities COSO Principle 16 Shared The customer is responsible for implementing this recommendation. • Considers a Mix of Ongoing and Separate Evaluations — Management includes a balance of ongoing and separate evaluations. • Considers Rate of Change — Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations. • Establishes Baseline Understanding — The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations. • Uses Knowledgeable Personnel — Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated. • Integrates With Business Processes — Ongoing evaluations are built into the business processes and adjust to changing conditions. • Adjusts Scope and Frequency — Management varies the scope and frequency of separate evaluations depending on risk. Page 26 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS • Objectively Evaluates — Separate evaluations are performed periodically to provide objective feedback. Additional point of focus specifically related to all engagements using the trust services criteria: • Considers Different Types of Ongoing and Separate Evaluations — Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add f78fc35e-1268-0bca-a798-afcba9d2330a
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC