last sync: 2024-Nov-25 18:54:24 UTC

Govern the allocation of resources | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Govern the allocation of resources
Id 33d34fac-56a8-1c0f-0636-3ed94892a709
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0293 - Govern the allocation of resources
Additional metadata Name/Id: CMA_0293 / CMA_0293
Category: Operational
Title: Govern the allocation of resources
Ownership: Customer
Description: Microsoft recommends that your organization determine, document, and allocate the resources required to protect the information system or information system service as part of its capital planning and investment control process. Resource allocation for information security can include funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Your organization should consider determining information security requirements for the information system or information system service in mission/business process planning. In addition, your organization can establish a discrete line item for information security in organizational programming and budgeting documentation.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 15 compliance controls are associated with this Policy definition 'Govern the allocation of resources' (33d34fac-56a8-1c0f-0636-3ed94892a709)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SA-2 FedRAMP_High_R4_SA-2 FedRAMP High SA-2 System And Services Acquisition Allocation Of Resources Shared n/a The organization: a. Determines information security requirements for the information system or information system service in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and c. Establishes a discrete line item for information security in organizational programming and budgeting documentation. Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. Control Enhancements: None. References: NIST Special Publication 800-65. link 6
FedRAMP_High_R4 SC-6 FedRAMP_High_R4_SC-6 FedRAMP High SC-6 System And Communications Protection Resource Availability Shared n/a The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]]. Supplemental Guidance: Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles. Control Enhancements: None. References: None. link 3
FedRAMP_Moderate_R4 SA-2 FedRAMP_Moderate_R4_SA-2 FedRAMP Moderate SA-2 System And Services Acquisition Allocation Of Resources Shared n/a The organization: a. Determines information security requirements for the information system or information system service in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and c. Establishes a discrete line item for information security in organizational programming and budgeting documentation. Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. Control Enhancements: None. References: NIST Special Publication 800-65. link 6
FedRAMP_Moderate_R4 SC-6 FedRAMP_Moderate_R4_SC-6 FedRAMP Moderate SC-6 System And Communications Protection Resource Availability Shared n/a The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]]. Supplemental Guidance: Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles. Control Enhancements: None. References: None. link 3
hipaa 0120.05a1Organizational.4-05.a hipaa-0120.05a1Organizational.4-05.a 0120.05a1Organizational.4-05.a 01 Information Protection Program 0120.05a1Organizational.4-05.a 05.01 Internal Organization Shared n/a Capital planning and investment requests include the resources needed to implement the security program, employ a business case (or Exhibit 300 and/or 53 for federal government); and the organization ensures the resources are available for expenditure as planned. 8
hipaa 0818.01w3System.12-01.w hipaa-0818.01w3System.12-01.w 0818.01w3System.12-01.w 08 Network Protection 0818.01w3System.12-01.w 01.06 Application and Information Access Control Shared n/a Shared system resources (e.g., registers, main memory, secondary storage) are released back to the system, protected from disclosure to other systems/applications/users, and users cannot intentionally or unintentionally access information remnants. 4
ISO27001-2013 A.6.1.5 ISO27001-2013_A.6.1.5 ISO 27001:2013 A.6.1.5 Organization of Information Security Information security in project management Shared n/a Information security shall be addressed in project management, regardless of the type of the project. link 25
ISO27001-2013 C.4.3.c ISO27001-2013_C.4.3.c ISO 27001:2013 C.4.3.c Context of the organization Determining the scope of the information security management system Shared n/a The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organization shall consider: c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information. link 18
ISO27001-2013 C.5.1.c ISO27001-2013_C.5.1.c ISO 27001:2013 C.5.1.c Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: c) ensuring that the resources needed for the information security management system are available. link 10
ISO27001-2013 C.5.1.f ISO27001-2013_C.5.1.f ISO 27001:2013 C.5.1.f Leadership Leadership and commitment Shared n/a Top management shall demonstrate leadership and commitment with respect to the information security management system by: f) directing and supporting persons to contribute to the effectiveness of the information security management system. link 9
ISO27001-2013 C.7.1 ISO27001-2013_C.7.1 ISO 27001:2013 C.7.1 Support Resources Shared n/a The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. link 7
NIST_SP_800-53_R4 SA-2 NIST_SP_800-53_R4_SA-2 NIST SP 800-53 Rev. 4 SA-2 System And Services Acquisition Allocation Of Resources Shared n/a The organization: a. Determines information security requirements for the information system or information system service in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and c. Establishes a discrete line item for information security in organizational programming and budgeting documentation. Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. Control Enhancements: None. References: NIST Special Publication 800-65. link 6
NIST_SP_800-53_R4 SC-6 NIST_SP_800-53_R4_SC-6 NIST SP 800-53 Rev. 4 SC-6 System And Communications Protection Resource Availability Shared n/a The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]]. Supplemental Guidance: Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles. Control Enhancements: None. References: None. link 3
NIST_SP_800-53_R5 SA-2 NIST_SP_800-53_R5_SA-2 NIST SP 800-53 Rev. 5 SA-2 System and Services Acquisition Allocation of Resources Shared n/a a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. link 6
NIST_SP_800-53_R5 SC-6 NIST_SP_800-53_R5_SC-6 NIST SP 800-53 Rev. 5 SC-6 System and Communications Protection Resource Availability Shared n/a Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (OneOrMore): priority;quota; [Assignment: organization-defined controls] ] . link 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 33d34fac-56a8-1c0f-0636-3ed94892a709
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC