last sync: 2024-Nov-25 18:54:24 UTC

Microsoft Managed Control 1580 - Information System Documentation | Regulatory Compliance - System and Services Acquisition

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1580 - Information System Documentation
Id 854db8ac-6adf-42a0-bef3-b73f764f40b9
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Services Acquisition control
Additional metadata Name/Id: ACF1580 / Microsoft Managed Control 1580
Category: System and Services Acquisition
Title: Information System Documentation - Admin Documentation
Ownership: Customer, Microsoft
Description: The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, installation, and operation of the system, component, or service; Effective use and maintenance of security functions/mechanisms; and Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
Requirements: Azure service teams maintain, secure, manage, and store information system documentation, including documentation regarding: * Secure configuration, installation, and operation of the information system * Effective use and maintenance of security features/functions * Known vulnerabilities regarding configuration and use of administrative (i.e. privileged) functions This documentation is stored in each service team’s SharePoint site and made available to service team members. Documentation for externally-provided software (scanning tools) is available online at vendor websites. Microsoft has implemented the information system documentation control by ensuring the appropriate service team is responsible for maintaining, securing, managing, transmitting and storing all documentation to prevent unauthorized access and misuse of Azure documentation. Microsoft considers all documentation to be categorized as a system asset. The service team is responsible for classifying its assets and employing the associated safeguards according to the Asset Classification Standard and Asset Protection Standard, as well as any additional requirements defined by the service team. An asset is something that supports the delivery of the Azure service or has other business value to its owner. Azure Technical Support’s asset inventory is located on the team SharePoint site. The inventory of assets is maintained by Technical Support personnel and is updated as needed when new assets are created, installed or identified or the asset owner, location or security classification requires modification. Technical Support team’s SOPs are stored on each team’s respective SharePoint site or Knowledge Base as referenced in each team’s asset inventory and other service team documentation, such as project requirements and specifications. Technical Support team documentation, including Technical Support Guides (TSGs), are stored on each team’s respective SharePoint site, or Knowledge Base as referenced in each team’s asset inventory. Authorized personnel routinely develop, maintain and store all related security documentation (e.g., security policies and procedures) and system configuration files on a continuous basis in accordance with regulatory requirements. Documentation is centrally managed using SharePoint and available to only authorized personnel using role-based access (i.e., valid username and level of access). Azure Security Authorization documentation (i.e., SSP, Contingency Plan, Security Assessment Plan (SAP), SAR/RAR, Configuration Management Plan, Plan of Action, and Milestones (POA&M), etc.) is maintained on a SharePoint site with appropriate access controls in place. Known vulnerabilities are identified in the SAR as part of the Security Authorization package and maintained on the SharePoint site with the Azure Security Authorization documentation.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC