last sync: 2024-Nov-25 18:54:24 UTC

Separate user and information system management functionality | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Separate user and information system management functionality
Id 8a703eb5-4e53-701b-67e4-05ba2f7930c8
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0493 - Separate user and information system management functionality
Additional metadata Name/Id: CMA_0493 / CMA_0493
Category: Operational
Title: Separate user and information system management functionality
Ownership: Customer
Description: Microsoft recommends that your organization's information system separates user functionality (including user interface services) from information system management functionality. Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 24 compliance controls are associated with this Policy definition 'Separate user and information system management functionality' (8a703eb5-4e53-701b-67e4-05ba2f7930c8)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SC-2 FedRAMP_High_R4_SC-2 FedRAMP High SC-2 System And Communications Protection Application Partitioning Shared n/a The information system separates user functionality (including user interface services) from information system management functionality. Supplemental Guidance: Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. Related controls: SA-4, SA-8, SC-3. References: None. link 3
FedRAMP_Moderate_R4 SC-2 FedRAMP_Moderate_R4_SC-2 FedRAMP Moderate SC-2 System And Communications Protection Application Partitioning Shared n/a The information system separates user functionality (including user interface services) from information system management functionality. Supplemental Guidance: Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. Related controls: SA-4, SA-8, SC-3. References: None. link 3
hipaa 0208.09j2Organizational.7-09.j hipaa-0208.09j2Organizational.7-09.j 0208.09j2Organizational.7-09.j 02 Endpoint Protection 0208.09j2Organizational.7-09.j 09.04 Protection Against Malicious and Mobile Code Shared n/a User functionality (including user interface services [e.g., web services]) is separated from information system management (e.g., database management systems) functionality. 4
hipaa 0817.01w2System.123-01.w hipaa-0817.01w2System.123-01.w 0817.01w2System.123-01.w 08 Network Protection 0817.01w2System.123-01.w 01.06 Application and Information Access Control Shared n/a Unless the risk is identified and accepted by the data owner, sensitive systems are isolated (physically or logically) from non-sensitive applications/systems. 13
hipaa 1785.10a1Organizational.8-10.a hipaa-1785.10a1Organizational.8-10.a 1785.10a1Organizational.8-10.a 17 Risk Management 1785.10a1Organizational.8-10.a 10.01 Security Requirements of Information Systems Shared n/a Where additional functionality is supplied and causes a security risk, the functionality is disabled or mitigated through application of additional controls. 5
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
ISO27001-2013 A.13.1.3 ISO27001-2013_A.13.1.3 ISO 27001:2013 A.13.1.3 Communications Security Segregation of networks Shared n/a Groups of information services, users, and information systems shall be segregated on networks. link 17
ISO27001-2013 A.14.1.3 ISO27001-2013_A.14.1.3 ISO 27001:2013 A.14.1.3 System Acquisition, Development And Maintenance Protecting application services transactions Shared n/a Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. link 29
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
mp.info.4 Time stamps mp.info.4 Time stamps 404 not found n/a n/a 33
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
NIST_SP_800-171_R2_3 .13.3 NIST_SP_800-171_R2_3.13.3 NIST SP 800-171 R2 3.13.3 System and Communications Protection Separate user functionality from system management functionality. Shared Microsoft and the customer share responsibilities for implementing this requirement. System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. link 3
NIST_SP_800-53_R4 SC-2 NIST_SP_800-53_R4_SC-2 NIST SP 800-53 Rev. 4 SC-2 System And Communications Protection Application Partitioning Shared n/a The information system separates user functionality (including user interface services) from information system management functionality. Supplemental Guidance: Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. Related controls: SA-4, SA-8, SC-3. References: None. link 3
NIST_SP_800-53_R5 SC-2 NIST_SP_800-53_R5_SC-2 NIST SP 800-53 Rev. 5 SC-2 System and Communications Protection Separation of System and User Functionality Shared n/a Separate user functionality, including user interface services, from system management functionality. link 3
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.exp.2 Security configuration op.exp.2 Security configuration 404 not found n/a n/a 112
op.exp.3 Security configuration management op.exp.3 Security configuration management 404 not found n/a n/a 123
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
op.pl.3 Acquisition of new components op.pl.3 Acquisition of new components 404 not found n/a n/a 61
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 126
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 8a703eb5-4e53-701b-67e4-05ba2f7930c8
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC