last sync: 2024-Oct-07 17:51:17 UTC

Separately store backup information | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Separately store backup information
Id fc26e2fd-3149-74b4-5988-d64bb90f8ef7
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1293 - Separately store backup information
Additional metadata Name/Id: CMA_C1293 / CMA_C1293
Category: Operational
Title: Separately store backup information
Ownership: Customer
Description: The customer is responsible for separately storing backup information (e.g., separate facility or fire-rated container that is not collocated). Note: if the customer configures Microsoft Azure backup services appropriately, Azure can support the protection of backup data.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 20 compliance controls are associated with this Policy definition 'Separately store backup information' (fc26e2fd-3149-74b4-5988-d64bb90f8ef7)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CP-9(3) FedRAMP_High_R4_CP-9(3) FedRAMP High CP-9 (3) Contingency Planning Separate Storage For Critical Information Shared n/a The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. Supplemental Guidance: Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. link 1
FedRAMP_Moderate_R4 CP-9(3) FedRAMP_Moderate_R4_CP-9(3) FedRAMP Moderate CP-9 (3) Contingency Planning Separate Storage For Critical Information Shared n/a The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. Supplemental Guidance: Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. link 1
hipaa 0824.09m3Organizational.1-09.m hipaa-0824.09m3Organizational.1-09.m 0824.09m3Organizational.1-09.m 08 Network Protection 0824.09m3Organizational.1-09.m 09.06 Network Security Management Shared n/a The impact of the loss of network service to the business is defined. 10
hipaa 0860.09m1Organizational.9-09.m hipaa-0860.09m1Organizational.9-09.m 0860.09m1Organizational.9-09.m 08 Network Protection 0860.09m1Organizational.9-09.m 09.06 Network Security Management Shared n/a The organization formally manages equipment on the network, including equipment in user areas. 5
hipaa 1608.12c2Organizational.5-12.c hipaa-1608.12c2Organizational.5-12.c 1608.12c2Organizational.5-12.c 16 Business Continuity & Disaster Recovery 1608.12c2Organizational.5-12.c 12.01 Information Security Aspects of Business Continuity Management Shared n/a Business continuity plans are stored in a remote location. 3
hipaa 1618.09l1Organizational.45-09.l hipaa-1618.09l1Organizational.45-09.l 1618.09l1Organizational.45-09.l 16 Business Continuity & Disaster Recovery 1618.09l1Organizational.45-09.l 09.05 Information Back-Up Shared n/a The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. 7
hipaa 1620.09l1Organizational.8-09.l hipaa-1620.09l1Organizational.8-09.l 1620.09l1Organizational.8-09.l 16 Business Continuity & Disaster Recovery 1620.09l1Organizational.8-09.l 09.05 Information Back-Up Shared n/a When the backup service is delivered by the third-party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. 5
hipaa 1622.09l2Organizational.23-09.l hipaa-1622.09l2Organizational.23-09.l 1622.09l2Organizational.23-09.l 16 Business Continuity & Disaster Recovery 1622.09l2Organizational.23-09.l 09.05 Information Back-Up Shared n/a The integrity and security of the backup copies are maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster. 4
hipaa 1627.09l3Organizational.6-09.l hipaa-1627.09l3Organizational.6-09.l 1627.09l3Organizational.6-09.l 16 Business Continuity & Disaster Recovery 1627.09l3Organizational.6-09.l 09.05 Information Back-Up Shared n/a The organization tests backup information following each backup to verify media reliability and information integrity, and at least annually thereafter. 2
ISO27001-2013 A.12.3.1 ISO27001-2013_A.12.3.1 ISO 27001:2013 A.12.3.1 Operations Security Information backup Shared n/a Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. link 13
mp.info.6 Backups mp.info.6 Backups 404 not found n/a n/a 65
mp.si.2 Cryptography mp.si.2 Cryptography 404 not found n/a n/a 32
NIST_SP_800-53_R4 CP-9(3) NIST_SP_800-53_R4_CP-9(3) NIST SP 800-53 Rev. 4 CP-9 (3) Contingency Planning Separate Storage For Critical Information Shared n/a The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. Supplemental Guidance: Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. link 1
NIST_SP_800-53_R5 CP-9(3) NIST_SP_800-53_R5_CP-9(3) NIST SP 800-53 Rev. 5 CP-9 (3) Contingency Planning Separate Storage for Critical Information Shared n/a Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. link 1
op.cont.3 Periodic tests op.cont.3 Periodic tests 404 not found n/a n/a 91
op.cont.4 Alternative means op.cont.4 Alternative means 404 not found n/a n/a 95
op.exp.3 Security configuration management op.exp.3 Security configuration management 404 not found n/a n/a 123
SOC_2 A1.2 SOC_2_A1.2 SOC 2 Type 2 A1.2 Additional Criteria For Availability Environmental protections, software, data back-up processes, and recovery infrastructure Shared The customer is responsible for implementing this recommendation. Identifies Environmental Threats — As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water. • Designs Detection Measures — Detection measures are implemented to identify anomalies that could result from environmental threat events. • Implements and Maintains Environmental Protection Mechanisms — Management implements and maintains environmental protection mechanisms to prevent and mitigate environmental events. • Implements Alerts to Analyze Anomalies — Management implements alerts that are communicated to personnel for analysis to identify environmental threat events. • Responds to Environmental Threat Events — Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator backup subsystem). • Communicates and Reviews Detected Environmental Threat Events — Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary. • Determines Data Requiring Backup — Data is evaluated to determine whether backup is required. • Performs Data Backup — Procedures are in place for backing up data, monitoring to detect backup failures, and initiating corrective action when such failures occur. • Addresses Offsite Storage — Backup data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level. • Implements Alternate Processing Infrastructure — Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable. 13
SOC_2 PI1.5 SOC_2_PI1.5 SOC 2 Type 2 PI1.5 Additional Criteria For Processing Integrity Store inputs and outputs completely, accurately, and timely Shared The customer is responsible for implementing this recommendation. • Protects Stored Items — Stored items are protected to prevent theft, corruption, destruction, or deterioration that would prevent output from meeting specifications. • Archives and Protects System Records — System records are archived and archives are protected against theft, corruption, destruction, or deterioration that would prevent them from being used. • Stores Data Completely and Accurately — Procedures are in place to provide for the complete, accurate, and timely storage of data. • Creates and Maintains Records of System Storage Activities — Records of system storage activities are created and maintained completely and accurately in a timely manner 10
SWIFT_CSCF_v2022 9.2 SWIFT_CSCF_v2022_9.2 SWIFT CSCF v2022 9.2 9. Ensure Availability through Resilience Providers must ensure that the service remains available for customers in the event of a site disaster. Shared n/a Providers must ensure that the service remains available for customers in the event of a site disaster. link 13
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add fc26e2fd-3149-74b4-5988-d64bb90f8ef7
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC