AzPolicyAdvertizer

last sync: 2024-Sep-18 17:50:24 UTC

Establish electronic signature and certificate requirements | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Establish electronic signature and certificate requirements

6f3866e8-6e12-69cf-788c-809d426094a1

Version

1.1.0
Details on versioning

Versioning

Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]

Category

Regulatory Compliance
Microsoft Learn

Description

CMA_0271 - Establish electronic signature and certificate requirements

Additional metadata

Name/Id: CMA_0271 / CMA_0271
Category: Operational
Title: Establish electronic signature and certificate requirements
Ownership: Customer
Description: Microsoft recommends that your organization establish processes to confirm the integrity and authenticity of an individual's identity when collecting an electronic/digital signature. This can help prevent signature or identity falsification and protect records and other information assets. Electronic signatures can be provided by electronic certification service providers or can be generated through a variety of signing procedures. The signatures may also be generated through a signature generating tool. It is recommended the signatory has control of the signature generating tool at the time of signing and reasonable care is taken to avoid unauthorized use of the signature originating tool. Microsoft recommends meeting the following requirements prior to classifying a signature as valid: - Confirmed identity - Traceable changes to the signature - Ability to determine changes to the information it is attached to - Validation of the integrity of the electronic information - The nature and value of the transaction - Confirmed by a certificate. It is recommended that your organization provide notice to addressee in written form on confirmation, rejection or revocation of the electronic signature, along with the reason for rejection and revoking. Microsoft recommends that the certificate provide the details like the identity of the authentication service provider, the signatory controlling the signature originating tools, the details and validity of the tool, any restrictions that may apply, the scope or extent of the use of the certificate in terms of value or responsibility, and any other information required by the competent authority. It is recommended to determine when certificates should be revoked or suspended, such as upon user request or upon violation of the user's rights through misuse. Your organization or the authentication service provider may be required to notify individuals and relevant parties if the signature originating tool was misused and determine what actions to take regarding any transactions that were dependent on potentially compromised signatures. It is recommended that your organization determine the allowed time period for electronic signatures to be suspended. The India - Information Technology Act states that digital signature certificates cannot be suspended for more than fifteen days unless the user has been given a chance to be heard in the matter.
Requirements: The customer is responsible for implementing this recommendation.

Mode

All

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Manual
Allowed
Manual, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (1)
Microsoft.Resources/subscriptions

Compliance

The following 18 compliance controls are associated with this Policy definition 'Establish electronic signature and certificate requirements' (6f3866e8-6e12-69cf-788c-809d426094a1)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
FedRAMP_High_R4	AU-10	FedRAMP_High_R4_AU-10	FedRAMP High AU-10	Audit And Accountability	Non-Repudiation	Shared	n/a	The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. Supplemental Guidance: Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts). Related controls: SC-12, SC-8, SC-13, SC-16, SC-17, SC-23. References: None.	link	1
ISO27001-2013	A.13.1.2	ISO27001-2013_A.13.1.2	ISO 27001:2013 A.13.1.2	Communications Security	Security of network services	Shared	n/a	Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.	link	16
ISO27001-2013	A.9.1.2	ISO27001-2013_A.9.1.2	ISO 27001:2013 A.9.1.2	Access Control	Access to networks and network services	Shared	n/a	Users shall only be provided with access to the network and network services that they have been specifically authorized to use.	link	29
ISO27001-2013	A.9.4.2	ISO27001-2013_A.9.4.2	ISO 27001:2013 A.9.4.2	Access Control	Secure log-on procedures	Shared	n/a	Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.	link	17
	mp.com.1 Secure perimeter	mp.com.1 Secure perimeter	404 not found				n/a	n/a		49
	mp.com.2 Protection of confidentiality	mp.com.2 Protection of confidentiality	404 not found				n/a	n/a		55
	mp.com.3 Protection of integrity and authenticity	mp.com.3 Protection of integrity and authenticity	404 not found				n/a	n/a		62
	mp.com.4 Separation of information flows on the network	mp.com.4 Separation of information flows on the network	404 not found				n/a	n/a		51
NIST_SP_800-171_R2_3	.3.2	NIST_SP_800-171_R2_3.3.2	NIST SP 800-171 R2 3.3.2	Audit and Accountability	Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.	Shared	Microsoft and the customer share responsibilities for implementing this requirement.	This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).	link	36
NIST_SP_800-53_R4	AU-10	NIST_SP_800-53_R4_AU-10	NIST SP 800-53 Rev. 4 AU-10	Audit And Accountability	Non-Repudiation	Shared	n/a	The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. Supplemental Guidance: Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts). Related controls: SC-12, SC-8, SC-13, SC-16, SC-17, SC-23. References: None.	link	1
NIST_SP_800-53_R5	AU-10	NIST_SP_800-53_R5_AU-10	NIST SP 800-53 Rev. 5 AU-10	Audit and Accountability	Non-repudiation	Shared	n/a	Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation].	link	1
	op.acc.2 Access requirements	op.acc.2 Access requirements	404 not found				n/a	n/a		64
	op.acc.5 Authentication mechanism (external users)	op.acc.5 Authentication mechanism (external users)	404 not found				n/a	n/a		72
	op.acc.6 Authentication mechanism (organization users)	op.acc.6 Authentication mechanism (organization users)	404 not found				n/a	n/a		78
	op.exp.2 Security configuration	op.exp.2 Security configuration	404 not found				n/a	n/a		112
	op.exp.3 Security configuration management	op.exp.3 Security configuration management	404 not found				n/a	n/a		123
	op.ext.4 Interconnection of systems	op.ext.4 Interconnection of systems	404 not found				n/a	n/a		68
	org.4 Authorization process	org.4 Authorization process	404 not found				n/a	n/a		126

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
FedRAMP High	d5264498-16f4-418a-b659-fa7ef418175f	Regulatory Compliance	GA	BuiltIn
ISO 27001:2013	89c6cddc-1c73-4ac1-b19c-54d1a15a42f2	Regulatory Compliance	GA	BuiltIn
NIST SP 800-171 Rev. 2	03055927-78bd-4236-86c0-f36125a10dc9	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 4	cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 5	179d1daa-458f-4e47-8086-2a68d0d6c38f	Regulatory Compliance	GA	BuiltIn
Spain ENS	175daf90-21e1-4fec-b745-7b4c909aa94c	Regulatory Compliance	GA	BuiltIn

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-27 16:35:32	change	Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29	add	6f3866e8-6e12-69cf-788c-809d426094a1

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC