| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1534 - Personnel Sanctions | ||
| Id | 8b2b263e-cd05-4488-bcbf-4debec7a17d9 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Personnel Security control | ||
| Additional metadata |
Name/Id: ACF1534 / Microsoft Managed Control 1534 Category: Personnel Security Title: Personnel Sanctions - Employ Formal Sanctions Process Ownership: Customer, Microsoft Description: The organization: Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and Requirements: Microsoft’s formal sanctions process for personnel failing to comply with established information security policies and procedures is defined in the Microsoft Information Security Policy. Specifically, depending on the particular type of misconduct, Microsoft’s Online Services Staff suspected of committing breaches of security and/or violating Microsoft Security Program Policy (MSPP) are subject to an investigation process and appropriate disciplinary action up to and including termination. When the Microsoft Human Resources (HR) team is notified of a possible security violation, the Office of Legal Compliance (OLC) is consulted. The OLC team advises HR if it is in scope for their team. If the incident is in scope for OLC, OLC investigates the possible security violation and reconnects with HR and the employee’s manager on the findings. If the allegation is substantiated, OLC recommends the disciplinary action to be taken and directs HR and the employee’s manager to debrief the employee and implement the discipline. Violations of Microsoft Information Security policies, standards, or procedures may result in corrective action, up to and including immediate termination of employment. In some cases, a breach of Microsoft Information Security policies, standards, or procedures may also violate an international, federal, state, or local law. In such cases, the individual may also be subject to civil and/or criminal liability. Once the OLC findings are delivered to HR and management, the employee, absent extenuating circumstances, is typically debriefed within two (2) weeks. This would be the same if HR were leading the investigation, not in scope for OLC. Violations that align with NIST 800-61 Rev. 2, Computer Security Incident Handling Guide, incident categories are reported to US-CERT and the impacted customer agency per the incident reporting requirements. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|