AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Perform a business impact assessment and application criticality assessment | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Perform a business impact assessment and application criticality assessment

cb8841d4-9d13-7292-1d06-ba4d68384681

Version

1.1.0
Details on versioning

Versioning

Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]

Category

Regulatory Compliance
Microsoft Learn

Description

CMA_0386 - Perform a business impact assessment and application criticality assessment

Additional metadata

Name/Id: CMA_0386 / CMA_0386
Category: Operational
Title: Perform a business impact assessment and application criticality assessment
Ownership: Customer
Description: Microsoft recommends that your organization establish, implement, and maintain a formal and documented Business Impact Assessment (BIA) that evaluates and determines continuity and recovery priorities, objectives and targets. Your organization is recommended to identify the business functions within the organization and the services and processes that support them. It is recommended that your organization complete a business impact analysis to determine the recovery sequence of critical business functions along with documented processes and service dependencies. Based on the BIA results, the organization is recommended to determine the Minimum Business Continuity Objective (MBCO), Maximum Tolerable Period of Disruption (MTPD), Recovery Time Objective (RTO), and Recovery Point Objective (RPO) for each critical business function which should be validated and approved by top management. Microsoft also recommends that your organization complete an application criticality assessment to understand the first-tier application dependencies, interdependent business processes, and business impacts such as loss of revenue, missed contractual obligations, alternative work procedure availability, the impacts that a disruption of these activities would have on the organization and other necessary Business Continuity Management System (BCMS) resources when needed. It is recommended to develop BIA-based recovery strategies to anticipate the loss of system components including but not limited to computer room environment (secure computer room with climate control, conditioned and backup power supply, etc.), hardware (networks, servers, desktop and laptop computers, wireless devices and peripherals), connectivity to a service provider (fiber, cable, wireless, etc.), software applications (electronic data interchange, electronic mail, enterprise resource management, office productivity, etc.), data, and restoration.
Requirements: The customer is responsible for implementing this recommendation.

Mode

All

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Manual
Allowed
Manual, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (1)
Microsoft.Resources/subscriptions

Compliance

The following 7 compliance controls are associated with this Policy definition 'Perform a business impact assessment and application criticality assessment' (cb8841d4-9d13-7292-1d06-ba4d68384681)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
FedRAMP_High_R4	CP-2(8)	FedRAMP_High_R4_CP-2(8)	FedRAMP High CP-2 (8)	Contingency Planning	Identify Critical Assets	Shared	n/a	The organization identifies critical information system assets supporting essential missions and business functions. Supplemental Guidance: Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets. Related controls: SA-14, SA-15.	link	1
FedRAMP_Moderate_R4	CP-2(8)	FedRAMP_Moderate_R4_CP-2(8)	FedRAMP Moderate CP-2 (8)	Contingency Planning	Identify Critical Assets	Shared	n/a	The organization identifies critical information system assets supporting essential missions and business functions. Supplemental Guidance: Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets. Related controls: SA-14, SA-15.	link	1
hipaa	1635.12b1Organizational.2-12.b	hipaa-1635.12b1Organizational.2-12.b	1635.12b1Organizational.2-12.b	16 Business Continuity & Disaster Recovery	1635.12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management	Shared	n/a	Information security aspects of business continuity are: (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and, (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy.		6
hipaa	1636.12b2Organizational.1-12.b	hipaa-1636.12b2Organizational.1-12.b	1636.12b2Organizational.1-12.b	16 Business Continuity & Disaster Recovery	1636.12b2Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management	Shared	n/a	The organization identifies its critical business processes and integrates the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport and facilities.		3
hipaa	1669.12d1Organizational.8-12.d	hipaa-1669.12d1Organizational.8-12.d	1669.12d1Organizational.8-12.d	16 Business Continuity & Disaster Recovery	1669.12d1Organizational.8-12.d 12.01 Information Security Aspects of Business Continuity Management	Shared	n/a	The business continuity planning framework addresses a specific, minimal set of information security requirements.		6
NIST_SP_800-53_R4	CP-2(8)	NIST_SP_800-53_R4_CP-2(8)	NIST SP 800-53 Rev. 4 CP-2 (8)	Contingency Planning	Identify Critical Assets	Shared	n/a	The organization identifies critical information system assets supporting essential missions and business functions. Supplemental Guidance: Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets. Related controls: SA-14, SA-15.	link	1
NIST_SP_800-53_R5	CP-2(8)	NIST_SP_800-53_R5_CP-2(8)	NIST SP 800-53 Rev. 5 CP-2 (8)	Contingency Planning	Identify Critical Assets	Shared	n/a	Identify critical system assets supporting [Selection: all;essential] mission and business functions.	link	1

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
FedRAMP High	d5264498-16f4-418a-b659-fa7ef418175f	Regulatory Compliance	GA	BuiltIn
FedRAMP Moderate	e95f5a9f-57ad-4d03-bb0b-b1d16db93693	Regulatory Compliance	GA	BuiltIn
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 4	cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 5	179d1daa-458f-4e47-8086-2a68d0d6c38f	Regulatory Compliance	GA	BuiltIn

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-27 16:35:32	change	Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40	add	cb8841d4-9d13-7292-1d06-ba4d68384681

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC