compliance controls are associated with this Policy definition 'Create a data inventory' (043c1e56-5a16-52f8-6af8-583098ff3e60)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
CM-8 |
FedRAMP_High_R4_CM-8 |
FedRAMP High CM-8 |
Configuration Management |
Information System Component Inventory |
Shared |
n/a |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
Supplemental Guidance: Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5.
References: NIST Special Publication 800-128. |
link |
2 |
FedRAMP_High_R4 |
CM-8(1) |
FedRAMP_High_R4_CM-8(1) |
FedRAMP High CM-8 (1) |
Configuration Management |
Updates During Installations / Removals |
Shared |
n/a |
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. |
link |
2 |
FedRAMP_High_R4 |
CM-8(4) |
FedRAMP_High_R4_CM-8(4) |
FedRAMP High CM-8 (4) |
Configuration Management |
Accountability Information |
Shared |
n/a |
The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components.
Supplemental Guidance: Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated). |
link |
2 |
FedRAMP_Moderate_R4 |
CM-8 |
FedRAMP_Moderate_R4_CM-8 |
FedRAMP Moderate CM-8 |
Configuration Management |
Information System Component Inventory |
Shared |
n/a |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
Supplemental Guidance: Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5.
References: NIST Special Publication 800-128. |
link |
2 |
FedRAMP_Moderate_R4 |
CM-8(1) |
FedRAMP_Moderate_R4_CM-8(1) |
FedRAMP Moderate CM-8 (1) |
Configuration Management |
Updates During Installations / Removals |
Shared |
n/a |
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. |
link |
2 |
hipaa |
0701.07a1Organizational.12-07.a |
hipaa-0701.07a1Organizational.12-07.a |
0701.07a1Organizational.12-07.a |
07 Vulnerability Management |
0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets |
Shared |
n/a |
An inventory of assets and services is maintained. |
|
7 |
hipaa |
0703.07a2Organizational.1-07.a |
hipaa-0703.07a2Organizational.1-07.a |
0703.07a2Organizational.1-07.a |
07 Vulnerability Management |
0703.07a2Organizational.1-07.a 07.01 Responsibility for Assets |
Shared |
n/a |
The inventory of all authorized assets includes the owner of the information asset, custodianship, categorizes the information asset according to criticality and information classification, and identifies protection and sustainment requirements commensurate with the asset's categorization. |
|
3 |
hipaa |
0704.07a3Organizational.12-07.a |
hipaa-0704.07a3Organizational.12-07.a |
0704.07a3Organizational.12-07.a |
07 Vulnerability Management |
0704.07a3Organizational.12-07.a 07.01 Responsibility for Assets |
Shared |
n/a |
Organizational inventories of IT assets are updated during installations, removals, and system changes, with full physical inventories performed for capital assets (at least annually) and for non-capital assets. |
|
3 |
hipaa |
0720.07a1Organizational.4-07.a |
hipaa-0720.07a1Organizational.4-07.a |
0720.07a1Organizational.4-07.a |
07 Vulnerability Management |
0720.07a1Organizational.4-07.a 07.01 Responsibility for Assets |
Shared |
n/a |
The organization's asset inventory does not duplicate other inventories unnecessarily and ensures their respective content is aligned. |
|
2 |
hipaa |
0725.07a3Organizational.5-07.a |
hipaa-0725.07a3Organizational.5-07.a |
0725.07a3Organizational.5-07.a |
07 Vulnerability Management |
0725.07a3Organizational.5-07.a 07.01 Responsibility for Assets |
Shared |
n/a |
The organization provides an updated inventory, identifying assets with covered information (e.g., PII) to the CIO or information security official, and the senior privacy official on an organization-defined basis, but no less than annually. |
|
3 |
hipaa |
1504.06e1Organizational.34-06.e |
hipaa-1504.06e1Organizational.34-06.e |
1504.06e1Organizational.34-06.e |
15 Incident Management |
1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Management approves the use of information assets and takes appropriate action when unauthorized activity occurs. |
|
16 |
hipaa |
1621.09l2Organizational.1-09.l |
hipaa-1621.09l2Organizational.1-09.l |
1621.09l2Organizational.1-09.l |
16 Business Continuity & Disaster Recovery |
1621.09l2Organizational.1-09.l 09.05 Information Back-Up |
Shared |
n/a |
Automated tools are used to track all backups. |
|
3 |
ISO27001-2013 |
A.8.1.1 |
ISO27001-2013_A.8.1.1 |
ISO 27001:2013 A.8.1.1 |
Asset Management |
Inventory of assets |
Shared |
n/a |
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. |
link |
2 |
ISO27001-2013 |
A.8.1.2 |
ISO27001-2013_A.8.1.2 |
ISO 27001:2013 A.8.1.2 |
Asset Management |
Ownership of assets |
Shared |
n/a |
Assets maintained in the inventory shall be owned. |
link |
7 |
|
mp.com.4 Separation of information flows on the network |
mp.com.4 Separation of information flows on the network |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.info.2 Rating of information |
mp.info.2 Rating of information |
404 not found |
|
|
|
n/a |
n/a |
|
45 |
|
mp.si.3 Custody |
mp.si.3 Custody |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
NIST_SP_800-171_R2_3 |
.4.1 |
NIST_SP_800-171_R2_3.4.1 |
NIST SP 800-171 R2 3.4.1 |
Configuration Management |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management. |
link |
31 |
NIST_SP_800-53_R4 |
CM-8 |
NIST_SP_800-53_R4_CM-8 |
NIST SP 800-53 Rev. 4 CM-8 |
Configuration Management |
Information System Component Inventory |
Shared |
n/a |
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
Supplemental Guidance: Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5.
References: NIST Special Publication 800-128. |
link |
2 |
NIST_SP_800-53_R4 |
CM-8(1) |
NIST_SP_800-53_R4_CM-8(1) |
NIST SP 800-53 Rev. 4 CM-8 (1) |
Configuration Management |
Updates During Installations / Removals |
Shared |
n/a |
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. |
link |
2 |
NIST_SP_800-53_R4 |
CM-8(4) |
NIST_SP_800-53_R4_CM-8(4) |
NIST SP 800-53 Rev. 4 CM-8 (4) |
Configuration Management |
Accountability Information |
Shared |
n/a |
The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components.
Supplemental Guidance: Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated). |
link |
2 |
NIST_SP_800-53_R5 |
CM-8 |
NIST_SP_800-53_R5_CM-8 |
NIST SP 800-53 Rev. 5 CM-8 |
Configuration Management |
System Component Inventory |
Shared |
n/a |
a. Develop and document an inventory of system components that:
1. Accurately reflects the system;
2. Includes all components within the system;
3. Does not include duplicate accounting of components or components assigned to any other system;
4. Is at the level of granularity deemed necessary for tracking and reporting; and
5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and
b. Review and update the system component inventory [Assignment: organization-defined frequency]. |
link |
2 |
NIST_SP_800-53_R5 |
CM-8(1) |
NIST_SP_800-53_R5_CM-8(1) |
NIST SP 800-53 Rev. 5 CM-8 (1) |
Configuration Management |
Updates During Installation and Removal |
Shared |
n/a |
Update the inventory of system components as part of component installations, removals, and system updates. |
link |
2 |
NIST_SP_800-53_R5 |
CM-8(4) |
NIST_SP_800-53_R5_CM-8(4) |
NIST SP 800-53 Rev. 5 CM-8 (4) |
Configuration Management |
Accountability Information |
Shared |
n/a |
Include in the system component inventory information, a means for identifying by [Selection (OneOrMore): name;position;role] , individuals responsible and accountable for administering those components. |
link |
2 |
|
op.exp.1 Asset inventory |
op.exp.1 Asset inventory |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
PCI_DSS_v4.0 |
12.5.2.1 |
PCI_DSS_v4.0_12.5.2.1 |
PCI DSS v4.0 12.5.2.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
PCI DSS scope is documented and validated |
Shared |
n/a |
PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes all the elements specified in Requirement
12.5.2. |
link |
2 |
PCI_DSS_v4.0 |
9.4.5.1 |
PCI_DSS_v4.0_9.4.5.1 |
PCI DSS v4.0 9.4.5.1 |
Requirement 09: Restrict Physical Access to Cardholder Data |
Media with cardholder data is securely stored, accessed, distributed, and destroyed |
Shared |
n/a |
Inventories of electronic media with cardholder data are conducted at least once every 12 months. |
link |
2 |
SOC_2 |
CC6.1 |
SOC_2_CC6.1 |
SOC 2 Type 2 CC6.1 |
Logical and Physical Access Controls |
Logical access security software, infrastructure, and architectures |
Shared |
The customer is responsible for implementing this recommendation. |
The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion:
• Identifies and Manages the Inventory of Information Assets — The entity identifies,
Page 29
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
inventories, classifies, and manages information assets.
• Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative
authorities, mobile devices, output, and offline system components is restricted
through the use of access control software and rule sets.
• Identifies and Authenticates Users — Persons, infrastructure, and software are
identified and authenticated prior to accessing information assets, whether locally
or remotely.
• Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
• Manages Points of Access — Points of access by outside entities and the types of
data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified,
documented, and managed.
• Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets.
• Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems
accessing entity information, infrastructure, and software.
• Manages Credentials for Infrastructure and Software — New internal and external
infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point.
Credentials are removed and access is disabled when access is no longer required
or the infrastructure and software are no longer in use.
• Uses Encryption to Protect Data — The entity uses encryption to supplement other
measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk.
• Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction |
|
78 |