last sync: 2024-Nov-25 18:54:24 UTC

Create a data inventory | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Create a data inventory
Id 043c1e56-5a16-52f8-6af8-583098ff3e60
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0096 - Create a data inventory
Additional metadata Name/Id: CMA_0096 / CMA_0096
Category: Operational
Title: Create a data inventory
Ownership: Customer
Description: Microsoft recommends that your organization maintain all necessary and required records related to systems, products, and services that process data. It is recommended that your organization consider capturing the following details in reference to systems, products, and services to create a consistent and holistic data inventory: - Owners and operators that process data and their roles with respect to the systems, products, services, and components - Categories of individuals (e.g., customers, employees or prospective employees, consumers) whose data are being processed - Data actions and its purpose of the systems, products, and services - Data elements within the data action - Data processing environment (e.g., geographic location, internal, cloud, third parties). It is also recommended to maintain technical documentation for the registration of the data store, if applicable, as this may be referenced when determining necessary security measures for different types of data. Microsoft recommends that your organization create data flow maps which illustrate the data actions and associated data elements for systems, products, and services. Data flow maps typically include components, roles of the component owners and/or operators, and interactions of individuals or third parties with the systems, products, and services. ARMA International TR 30-2017 requires organization to manage the availability of its information assets at a reasonable cost by regularly removing obsolete or redundant assets adhering to the organization's retention policies while ensuring suspending such disposition in the event of legal hold, audit, or, where appropriate, freedom of information requests.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 29 compliance controls are associated with this Policy definition 'Create a data inventory' (043c1e56-5a16-52f8-6af8-583098ff3e60)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CM-8 FedRAMP_High_R4_CM-8 FedRAMP High CM-8 Configuration Management Information System Component Inventory Shared n/a The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. Supplemental Guidance: Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. References: NIST Special Publication 800-128. link 2
FedRAMP_High_R4 CM-8(1) FedRAMP_High_R4_CM-8(1) FedRAMP High CM-8 (1) Configuration Management Updates During Installations / Removals Shared n/a The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. link 2
FedRAMP_High_R4 CM-8(4) FedRAMP_High_R4_CM-8(4) FedRAMP High CM-8 (4) Configuration Management Accountability Information Shared n/a The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. Supplemental Guidance: Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated). link 2
FedRAMP_Moderate_R4 CM-8 FedRAMP_Moderate_R4_CM-8 FedRAMP Moderate CM-8 Configuration Management Information System Component Inventory Shared n/a The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. Supplemental Guidance: Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. References: NIST Special Publication 800-128. link 2
FedRAMP_Moderate_R4 CM-8(1) FedRAMP_Moderate_R4_CM-8(1) FedRAMP Moderate CM-8 (1) Configuration Management Updates During Installations / Removals Shared n/a The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. link 2
hipaa 0701.07a1Organizational.12-07.a hipaa-0701.07a1Organizational.12-07.a 0701.07a1Organizational.12-07.a 07 Vulnerability Management 0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets Shared n/a An inventory of assets and services is maintained. 7
hipaa 0703.07a2Organizational.1-07.a hipaa-0703.07a2Organizational.1-07.a 0703.07a2Organizational.1-07.a 07 Vulnerability Management 0703.07a2Organizational.1-07.a 07.01 Responsibility for Assets Shared n/a The inventory of all authorized assets includes the owner of the information asset, custodianship, categorizes the information asset according to criticality and information classification, and identifies protection and sustainment requirements commensurate with the asset's categorization. 3
hipaa 0704.07a3Organizational.12-07.a hipaa-0704.07a3Organizational.12-07.a 0704.07a3Organizational.12-07.a 07 Vulnerability Management 0704.07a3Organizational.12-07.a 07.01 Responsibility for Assets Shared n/a Organizational inventories of IT assets are updated during installations, removals, and system changes, with full physical inventories performed for capital assets (at least annually) and for non-capital assets. 3
hipaa 0720.07a1Organizational.4-07.a hipaa-0720.07a1Organizational.4-07.a 0720.07a1Organizational.4-07.a 07 Vulnerability Management 0720.07a1Organizational.4-07.a 07.01 Responsibility for Assets Shared n/a The organization's asset inventory does not duplicate other inventories unnecessarily and ensures their respective content is aligned. 2
hipaa 0725.07a3Organizational.5-07.a hipaa-0725.07a3Organizational.5-07.a 0725.07a3Organizational.5-07.a 07 Vulnerability Management 0725.07a3Organizational.5-07.a 07.01 Responsibility for Assets Shared n/a The organization provides an updated inventory, identifying assets with covered information (e.g., PII) to the CIO or information security official, and the senior privacy official on an organization-defined basis, but no less than annually. 3
hipaa 1504.06e1Organizational.34-06.e hipaa-1504.06e1Organizational.34-06.e 1504.06e1Organizational.34-06.e 15 Incident Management 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements Shared n/a Management approves the use of information assets and takes appropriate action when unauthorized activity occurs. 16
hipaa 1621.09l2Organizational.1-09.l hipaa-1621.09l2Organizational.1-09.l 1621.09l2Organizational.1-09.l 16 Business Continuity & Disaster Recovery 1621.09l2Organizational.1-09.l 09.05 Information Back-Up Shared n/a Automated tools are used to track all backups. 3
ISO27001-2013 A.8.1.1 ISO27001-2013_A.8.1.1 ISO 27001:2013 A.8.1.1 Asset Management Inventory of assets Shared n/a Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. link 2
ISO27001-2013 A.8.1.2 ISO27001-2013_A.8.1.2 ISO 27001:2013 A.8.1.2 Asset Management Ownership of assets Shared n/a Assets maintained in the inventory shall be owned. link 7
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
mp.info.2 Rating of information mp.info.2 Rating of information 404 not found n/a n/a 45
mp.si.3 Custody mp.si.3 Custody 404 not found n/a n/a 27
NIST_SP_800-171_R2_3 .4.1 NIST_SP_800-171_R2_3.4.1 NIST SP 800-171 R2 3.4.1 Configuration Management Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Shared Microsoft and the customer share responsibilities for implementing this requirement. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management. link 31
NIST_SP_800-53_R4 CM-8 NIST_SP_800-53_R4_CM-8 NIST SP 800-53 Rev. 4 CM-8 Configuration Management Information System Component Inventory Shared n/a The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. Supplemental Guidance: Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. References: NIST Special Publication 800-128. link 2
NIST_SP_800-53_R4 CM-8(1) NIST_SP_800-53_R4_CM-8(1) NIST SP 800-53 Rev. 4 CM-8 (1) Configuration Management Updates During Installations / Removals Shared n/a The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. link 2
NIST_SP_800-53_R4 CM-8(4) NIST_SP_800-53_R4_CM-8(4) NIST SP 800-53 Rev. 4 CM-8 (4) Configuration Management Accountability Information Shared n/a The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. Supplemental Guidance: Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated). link 2
NIST_SP_800-53_R5 CM-8 NIST_SP_800-53_R5_CM-8 NIST SP 800-53 Rev. 5 CM-8 Configuration Management System Component Inventory Shared n/a a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and b. Review and update the system component inventory [Assignment: organization-defined frequency]. link 2
NIST_SP_800-53_R5 CM-8(1) NIST_SP_800-53_R5_CM-8(1) NIST SP 800-53 Rev. 5 CM-8 (1) Configuration Management Updates During Installation and Removal Shared n/a Update the inventory of system components as part of component installations, removals, and system updates. link 2
NIST_SP_800-53_R5 CM-8(4) NIST_SP_800-53_R5_CM-8(4) NIST SP 800-53 Rev. 5 CM-8 (4) Configuration Management Accountability Information Shared n/a Include in the system component inventory information, a means for identifying by [Selection (OneOrMore): name;position;role] , individuals responsible and accountable for administering those components. link 2
op.exp.1 Asset inventory op.exp.1 Asset inventory 404 not found n/a n/a 40
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
PCI_DSS_v4.0 12.5.2.1 PCI_DSS_v4.0_12.5.2.1 PCI DSS v4.0 12.5.2.1 Requirement 12: Support Information Security with Organizational Policies and Programs PCI DSS scope is documented and validated Shared n/a PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes all the elements specified in Requirement 12.5.2. link 2
PCI_DSS_v4.0 9.4.5.1 PCI_DSS_v4.0_9.4.5.1 PCI DSS v4.0 9.4.5.1 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Inventories of electronic media with cardholder data are conducted at least once every 12 months. link 2
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 78
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 043c1e56-5a16-52f8-6af8-583098ff3e60
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC