compliance controls are associated with this Policy definition 'Review and reevaluate privileges' (585af6e9-90c0-4575-67a7-2f9548972e32)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CM-5(5) |
FedRAMP_High_R4_CM-5(5) |
FedRAMP High CM-5 (5) |
Configuration Management |
Limit Production / Operational Privileges |
Shared |
n/a |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency].
Supplemental Guidance: In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
link |
2 |
| FedRAMP_Moderate_R4 |
CM-5(5) |
FedRAMP_Moderate_R4_CM-5(5) |
FedRAMP Moderate CM-5 (5) |
Configuration Management |
Limit Production / Operational Privileges |
Shared |
n/a |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency].
Supplemental Guidance: In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
link |
2 |
| hipaa |
0605.10h1System.12-10.h |
hipaa-0605.10h1System.12-10.h |
0605.10h1System.12-10.h |
06 Configuration Management |
0605.10h1System.12-10.h 10.04 Security of System Files |
Shared |
n/a |
Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. |
|
6 |
| ISO27001-2013 |
A.9.2.1 |
ISO27001-2013_A.9.2.1 |
ISO 27001:2013 A.9.2.1 |
Access Control |
User registration and de-registration |
Shared |
n/a |
A formal user registration and de-registration process shall be implemented to enable assignment of access rights. |
link |
27 |
| ISO27001-2013 |
A.9.2.2 |
ISO27001-2013_A.9.2.2 |
ISO 27001:2013 A.9.2.2 |
Access Control |
User access provisioning |
Shared |
n/a |
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. |
link |
19 |
| ISO27001-2013 |
A.9.2.3 |
ISO27001-2013_A.9.2.3 |
ISO 27001:2013 A.9.2.3 |
Access Control |
Management of privileged access rights |
Shared |
n/a |
The allocation and use of privileged access rights shall be restricted and controlled. |
link |
33 |
| ISO27001-2013 |
A.9.2.5 |
ISO27001-2013_A.9.2.5 |
ISO 27001:2013 A.9.2.5 |
Access Control |
Review of user access rights |
Shared |
n/a |
Asset owners shall review users' access rights at regular intervals. |
link |
17 |
| ISO27001-2013 |
A.9.2.6 |
ISO27001-2013_A.9.2.6 |
ISO 27001:2013 A.9.2.6 |
Access Control |
Removal or adjustment of access rights |
Shared |
n/a |
The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. |
link |
17 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-171_R2_3 |
.4.5 |
NIST_SP_800-171_R2_3.4.5 |
NIST SP 800-171 R2 3.4.5 |
Configuration Management |
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. Access restrictions include physical and logical access control requirements, workflow automation, media libraries, abstract layers (e.g., changes implemented into external interfaces rather than directly into systems), and change windows (e.g., changes occur only during certain specified times). In addition to security concerns, commonly-accepted due diligence for configuration management includes access restrictions as an essential part in ensuring the ability to effectively manage the configuration. [SP 800-128] provides guidance on configuration change control. |
link |
6 |
| NIST_SP_800-53_R4 |
CM-5(5) |
NIST_SP_800-53_R4_CM-5(5) |
NIST SP 800-53 Rev. 4 CM-5 (5) |
Configuration Management |
Limit Production / Operational Privileges |
Shared |
n/a |
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency].
Supplemental Guidance: In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. |
link |
2 |
| NIST_SP_800-53_R5 |
CM-5(5) |
NIST_SP_800-53_R5_CM-5(5) |
NIST SP 800-53 Rev. 5 CM-5 (5) |
Configuration Management |
Privilege Limitation for Production and Operation |
Shared |
n/a |
(a) Limit privileges to change system components and system-related information within a production or operational environment; and
(b) Review and reevaluate privileges [Assignment: organization-defined frequency]. |
link |
2 |
|
op.acc.1 Identification |
op.acc.1 Identification |
404 not found |
|
|
|
n/a |
n/a |
|
66 |
|
op.acc.3 Segregation of functions and tasks |
op.acc.3 Segregation of functions and tasks |
404 not found |
|
|
|
n/a |
n/a |
|
43 |
|
op.acc.4 Access rights management process |
op.acc.4 Access rights management process |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
op.acc.5 Authentication mechanism (external users) |
op.acc.5 Authentication mechanism (external users) |
404 not found |
|
|
|
n/a |
n/a |
|
72 |