last sync: 2024-Nov-25 18:54:24 UTC

Microsoft Managed Control 1485 - Delivery And Removal | Regulatory Compliance - Physical and Environmental Protection

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1485 - Delivery And Removal
Id 50301354-95d0-4a11-8af5-8039ecf6d38b
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this Physical and Environmental Protection control
Additional metadata Name/Id: ACF1485 / Microsoft Managed Control 1485
Category: Physical and Environmental Protection
Title: Delivery And Removal
Ownership: Microsoft
Description: The organization authorizes, monitors, and controls All information system components entering and exiting the facility and maintains records of those items.
Requirements: Assets that are to be destroyed are stored in locked storage bins that are under CCTV camera coverage. When the assets are ready to be destroyed, the locked storage bins are sent to shredding locations by Microsoft full time employee (FTE) from Asset Management. As shredding occurs at the datacenter and under Microsoft supervision, Azure assets do not leave the controlled areas of the datacenter. Azure implements strict enforcement of what is allowed to enter and exit the datacenter. All system components/assets are tracked in the asset management tool database. Information system component deliveries must be scheduled; unscheduled deliveries are refused entry past the datacenter gates. Deliveries are received in the facilities loading bay. The facilities asset manager must be present during the delivery. The loading bay is monitored with a live CCTV feed in the datacenter security operations center. In datacenters where the loading bay is adjacent to the staging area, the loading bay doors are designed in an interlock configuration, so that if the loading bay door is open for a delivery truck, the interior door to the staging area is not capable of being opened. When an information system component enters the building, the asset management team verifies the received item against the referenced ticket and then scans the device into Azure-managed asset management tool. New assets are unpacked in the staging area and stored in the asset management room until deployment. Depending on asset value, some high value assets are stored in separate locked cages with cameras. The general storage area within the asset management room requires an access badge for entry and has multiple cameras for video monitoring. For an information system component that is leaving the datacenter, a ticket request must be generated on the system owner’s behalf via the asset deployment tool. All data is removed from the system (i.e. hard drives wiped or purged depending on asset classification) before leaving the datacenter. All information system components received or shipped are tracked by the workflow ticketing tool and/or in the receiving/shipping logs in the asset management tool. Visitors are prohibited from using personal laptops or cell phones with camera capabilities in the production environment (colocations) per the datacenter policy and work rules. If the equipment entering the datacenter is used for maintenance purposes, the equipment requires datacenter management approval in the DCAT system. Azure Third Party (Leased) Datacenters In leased datacenters, the loading bay area is controlled by the datacenter provider. To manage entry and exit of Azure system components, an Azure representative must be present during the process.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC