last sync: 2024-Nov-25 18:54:24 UTC

Establish third-party personnel security requirements | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Establish third-party personnel security requirements
Id 3881168c-5d38-6f04-61cc-b5d87b2c4c58
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1529 - Establish third-party personnel security requirements
Additional metadata Name/Id: CMA_C1529 / CMA_C1529
Category: Operational
Title: Establish third-party personnel security requirements
Ownership: Customer
Description: The customer is responsible for third-party personnel security.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 21 compliance controls are associated with this Policy definition 'Establish third-party personnel security requirements' (3881168c-5d38-6f04-61cc-b5d87b2c4c58)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 PS-7 FedRAMP_High_R4_PS-7 FedRAMP High PS-7 Personnel Security Third-Party Personnel Security Shared n/a The organization: a. Establishes personnel security requirements including security roles and responsibilities for third-party providers; b. Requires third-party providers to comply with personnel security policies and procedures established by the organization; c. Documents personnel security requirements; d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and e. Monitors provider compliance. Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. Control Enhancements: None. References: NIST Special Publication 800-35. link 5
FedRAMP_Moderate_R4 PS-7 FedRAMP_Moderate_R4_PS-7 FedRAMP Moderate PS-7 Personnel Security Third-Party Personnel Security Shared n/a The organization: a. Establishes personnel security requirements including security roles and responsibilities for third-party providers; b. Requires third-party providers to comply with personnel security policies and procedures established by the organization; c. Documents personnel security requirements; d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and e. Monitors provider compliance. Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. Control Enhancements: None. References: NIST Special Publication 800-35. link 5
hipaa 0111.02d2Organizational.2-02.d hipaa-0111.02d2Organizational.2-02.d 0111.02d2Organizational.2-02.d 01 Information Protection Program 0111.02d2Organizational.2-02.d 02.03 During Employment Shared n/a Non-employees are provided the organization's data privacy and security policy requirements prior to accessing system resources and data. 9
hipaa 01110.05a1Organizational.5-05.a hipaa-01110.05a1Organizational.5-05.a 01110.05a1Organizational.5-05.a 01 Information Protection Program 01110.05a1Organizational.5-05.a 05.01 Internal Organization Shared n/a If the senior-level information security official is employed by the organization, one of its affiliates, or a third-party service, the organization retains responsibility for its cybersecurity program, designates a senior member of the organization responsible for direction and oversight, and requires the third-party service to maintain an appropriate cybersecurity program of its own. 4
hipaa 1407.05k2Organizational.1-05.k hipaa-1407.05k2Organizational.1-05.k 1407.05k2Organizational.1-05.k 14 Third Party Assurance 1407.05k2Organizational.1-05.k 05.02 External Parties Shared n/a The specific limitations of access, arrangements for compliance auditing, penalties, and the requirement for notification of third-party personnel transfers and terminations are identified in the agreement with the third-party. 5
hipaa 1409.09e2System.1-09.e hipaa-1409.09e2System.1-09.e 1409.09e2System.1-09.e 14 Third Party Assurance 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery Shared n/a The organization develops, disseminates and annually reviews/updates a list of current service providers, which includes a description of services provided. 15
hipaa 1429.05k1Organizational.34-05.k hipaa-1429.05k1Organizational.34-05.k 1429.05k1Organizational.34-05.k 14 Third Party Assurance 1429.05k1Organizational.34-05.k 05.02 External Parties Shared n/a The organization maintains written agreements (contracts) that include: (i) an acknowledgement that the third-party (e.g., a service provider) is responsible for the security of the data and requirements to address the associated information security risks; and, (ii) requirements to address the information security risks associated with information and communications technology services (e.g., cloud computing services) and product supply chain. 14
hipaa 1430.05k1Organizational.56-05.k hipaa-1430.05k1Organizational.56-05.k 1430.05k1Organizational.56-05.k 14 Third Party Assurance 1430.05k1Organizational.56-05.k 05.02 External Parties Shared n/a The agreement ensures that there is no misunderstanding between the organization and the third-party and satisfies the organization as to the indemnity of the third-party. 13
hipaa 1431.05k1Organizational.7-05.k hipaa-1431.05k1Organizational.7-05.k 1431.05k1Organizational.7-05.k 14 Third Party Assurance 1431.05k1Organizational.7-05.k 05.02 External Parties Shared n/a The organization establishes personnel security requirements, including security roles and responsibilities, for third-party providers that are coordinated and aligned with internal security roles and responsibilities. 5
hipaa 1432.05k1Organizational.89-05.k hipaa-1432.05k1Organizational.89-05.k 1432.05k1Organizational.89-05.k 14 Third Party Assurance 1432.05k1Organizational.89-05.k 05.02 External Parties Shared n/a The organization ensures a screening process is carried out for contractors and third-party users, and, where contractors are provided through an organization, the contract with the organization clearly specifies (i) the organization's responsibilities for screening and the notification procedures they need to follow if screening has not been completed, or if the results give cause for doubt or concern; and, (ii) all responsibilities and notification procedures for screening. 7
hipaa 1452.05kCSPOrganizational.1-05.k hipaa-1452.05kCSPOrganizational.1-05.k 1452.05kCSPOrganizational.1-05.k 14 Third Party Assurance 1452.05kCSPOrganizational.1-05.k 05.02 External Parties Shared n/a The organization ensures that mutually-agreed upon provisions and/or terms are established to satisfy customer (tenant) requirements for service-to-service application (API) and information processing interoperability, and portability for application development and information exchange, usage, and integrity persistence. 3
hipaa 1453.05kCSPOrganizational.2-05.k hipaa-1453.05kCSPOrganizational.2-05.k 1453.05kCSPOrganizational.2-05.k 14 Third Party Assurance 1453.05kCSPOrganizational.2-05.k 05.02 External Parties Shared n/a Supply chain agreements (e.g., SLAs) between cloud service providers and customers (tenants) incorporate at least the following mutually-agreed upon provisions and/or terms: (i) scope of business relationship and services offered, data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations; (ii) information security requirements, points of contact, and references to detailed supporting and relevant business processes and technical measures implemented; (iii) notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts; (iv) timely notification of a security incident to all customers (tenants) and other business relationships impacted; (v) assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed; (vi) expiration of the business relationship and treatment of customer (tenant) data impacted; and, (vii) customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence. 10
hipaa 1455.05kCSPOrganizational.4-05.k hipaa-1455.05kCSPOrganizational.4-05.k 1455.05kCSPOrganizational.4-05.k 14 Third Party Assurance 1455.05kCSPOrganizational.4-05.k 05.02 External Parties Shared n/a Third-party service providers demonstrate compliance with information security and confidentiality, access control, service definitions, and service-level agreements included in third-party contracts. Third-party reports, records, and services undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements. 9
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
ISO27001-2013 A.7.2.1 ISO27001-2013_A.7.2.1 ISO 27001:2013 A.7.2.1 Human Resources Security Management responsibilities Shared n/a Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. link 26
NIST_SP_800-53_R4 PS-7 NIST_SP_800-53_R4_PS-7 NIST SP 800-53 Rev. 4 PS-7 Personnel Security Third-Party Personnel Security Shared n/a The organization: a. Establishes personnel security requirements including security roles and responsibilities for third-party providers; b. Requires third-party providers to comply with personnel security policies and procedures established by the organization; c. Documents personnel security requirements; d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and e. Monitors provider compliance. Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. Control Enhancements: None. References: NIST Special Publication 800-35. link 5
NIST_SP_800-53_R5 PS-7 NIST_SP_800-53_R5_PS-7 NIST SP 800-53 Rev. 5 PS-7 Personnel Security External Personnel Security Shared n/a a. Establish personnel security requirements, including security roles and responsibilities for external providers; b. Require external providers to comply with personnel security policies and procedures established by the organization; c. Document personnel security requirements; d. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-defined time period]; and e. Monitor provider compliance with personnel security requirements. link 5
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 126
SOC_2 CC2.3 SOC_2_CC2.3 SOC 2 Type 2 CC2.3 Communication and Information COSO Principle 15 Shared The customer is responsible for implementing this recommendation. Communicates to External Parties — Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. • Enables Inbound Communications — Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. • Communicates With the Board of Directors — Relevant information resulting from assessments conducted by external parties is communicated to the board of directors. • Provides Separate Communication Lines — Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. • Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. Additional point of focus that applies only to an engagement using the trust services criteria for confidentiality: • Communicates Objectives Related to Confidentiality and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality.Page 20 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS Additional point of focus that applies only to an engagement using the trust services criteria for privacy: • Communicates Objectives Related to Privacy and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: • Communicates Information About System Operation and Boundaries — The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. • Communicates System Objectives — The entity communicates its system objectives to appropriate external users. • Communicates System Responsibilities — External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities. • Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters — External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel. 14
SOC_2 CC9.2 SOC_2_CC9.2 SOC 2 Type 2 CC9.2 Risk Mitigation Vendors and business partners risk management Shared The customer is responsible for implementing this recommendation. Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. • Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives. • Assigns Responsibility and Accountability for Managing Vendors and Business Partners — The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. • Establishes Communication Protocols for Vendors and Business Partners — The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners. • Establishes Exception Handling Procedures From Vendors and Business Partners — The entity establishes exception handling procedures for service or product issues related to vendors and business partners. • Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners. • Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships. • Implements Procedures for Terminating Vendor and Business Partner Relationships — The entity implements procedures for terminating vendor and business partner relationships. Additional points of focus that apply only to an engagement using the trust services criteria for confidentiality: • Obtains Confidentiality Commitments from Vendors and Business Partners — The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information. • Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements. Additional points of focus that apply only to an engagement using the trust services criteria for privacy: • Obtains Privacy Commitments from Vendors and Business Partners — The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information. • Assesses Compliance with Privacy Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary 20
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 3881168c-5d38-6f04-61cc-b5d87b2c4c58
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC