last sync: 2024-Jun-24 18:15:26 UTC

Microsoft Managed Control 1222 - Information System Component Inventory | Regulatory Compliance - Configuration Management

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1222 - Information System Component Inventory
Id fb39e62f-6bda-4558-8088-ec03d5670914
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Configuration Management control
Additional metadata Name/Id: ACF1222 / Microsoft Managed Control 1222
Category: Configuration Management
Title: Information System Component Inventory - Accurate Reality, Granularity, And Accountability
Ownership: Customer, Microsoft
Description: The organization: Develops and documents an inventory of information system components that: Accurately reflects the current information system; Includes all components within the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes Unique asset identifier, NetBIOS name, Baseline configuration name, OS Name, IP address, Host Name, Server Name, Property Group, Serial Number, MS Asset Number, Datacenter, Collocation, Location Zone, Rack, Rack Slot Number, Environment, Manufacturer, Model, Platform Operating System, and Function; and
Requirements: After collecting inventory information from the below sources and teams, Azure consolidates the information and performs month-over-month data analysis and reconciliation. Any changes to, additions to, or removals from the inventory are identified, verified, and explained. This data is stored within the Kusto and Cosmos tools. For all asset types, the inventory is consistent with the authorization boundary because it is kept up to date with new installations and decommissioning of devices. The inventory of logical assets are tracked in service Privacy Review documentation, which is reviewed as a part of the regular privacy review, or when there is a new component being reviewed as a part of the new feature Privacy Review. The Privacy Review documentation also maintains the retention requirements of the data as per regulatory requirements. The inventory of all assets for Azure services must be maintained by and are obtained from the service owners using the following methods. Servers Physical inventory data is pulled daily from nine different sources, both available to customers and internal tools. These sources include MS Asset, DCMT, Cockpit, VMAC, Intune, Active Directory (AD), DNS, Network Graph Service (NGS), and Fabric2. These sources are maintained by each individual service team. # Host The Host inventory consists of nodes which have VM containers running on top of them. Nodes are differentiated by the type of work they do. If a node hosts virtual machines, then it is a Host node. If a node doesn't have virtual machines and the entire node is in use, then it is a Native node. Host inventory data is generated automatically using subscription data. # Native Native data is generated automatically using subscription data. # Infraguest Infraguest data is generated from subscriptions within Service Tree and the SQL team. Those subscriptions are then used to query Geneva Actions; each service team owns Azure subscriptions, and Geneva Actions generates reports showing all of the virtual machines belonging to each subscription ID. # Bare Metal The Bare Metal server inventory is defined as physical servers without virtual machines running on top. The inventory mapping is done through Service Tree. All MSAsset assets are assigned a Property Group and Property Dimension. These are assigned the ownership. Service Tree takes the owner associated and assigns a service based on the owner’s division. # Pilotfish Pilotfish data is generated from the Pilotfish team, which provides a web service that the Inventory team queries to get the data. Network Devices Network data is populated from streams from the Azure Networking team. The Azure Networking team provides device data in Kusto which is processed by the Inventory team to add other attributes like Service Tree Name and asset identifier. # Databases Database information is calculated based upon the inventory of physical and virtual servers received from each team. # Web Endpoints Web endpoints are manually provided by each service team.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance
The following 1 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1222 - Information System Component Inventory' (fb39e62f-6bda-4558-8088-ec03d5670914)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
op.exp.1 Asset inventory op.exp.1 Asset inventory 404 not found n/a n/a 40
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC