compliance controls are associated with this Policy definition 'Disable authenticators upon termination' (d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.1.0 |
3.4 |
CIS_Azure_1.1.0_3.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.4 |
3 Storage Accounts |
Ensure that shared access signature tokens expire within an hour |
Shared |
The customer is responsible for implementing this recommendation. |
Expire shared access signature tokens within an hour. |
link |
3 |
| CIS_Azure_1.3.0 |
3.4 |
CIS_Azure_1.3.0_3.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.4 |
3 Storage Accounts |
Ensure that shared access signature tokens expire within an hour |
Shared |
The customer is responsible for implementing this recommendation. |
Expire shared access signature tokens within an hour. |
link |
3 |
| CIS_Azure_1.4.0 |
3.4 |
CIS_Azure_1.4.0_3.4 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.4 |
3 Storage Accounts |
Ensure that Shared Access Signature Tokens Expire Within an Hour |
Shared |
The customer is responsible for implementing this recommendation. |
Expire shared access signature tokens within an hour. |
link |
3 |
| CIS_Azure_2.0.0 |
3.6 |
CIS_Azure_2.0.0_3.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 3.6 |
3 |
Ensure that Shared Access Signature Tokens Expire Within an Hour |
Shared |
n/a |
Expire shared access signature tokens within an hour.
A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour. |
link |
3 |
| FedRAMP_High_R4 |
AC-2(3) |
FedRAMP_High_R4_AC-2(3) |
FedRAMP High AC-2 (3) |
Access Control |
Disable Inactive Accounts |
Shared |
n/a |
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. |
link |
2 |
| FedRAMP_High_R4 |
PS-4 |
FedRAMP_High_R4_PS-4 |
FedRAMP High PS-4 |
Personnel Security |
Personnel Termination |
Shared |
n/a |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].
Supplemental Guidance: Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6.
References: None. |
link |
5 |
| FedRAMP_Moderate_R4 |
AC-2(3) |
FedRAMP_Moderate_R4_AC-2(3) |
FedRAMP Moderate AC-2 (3) |
Access Control |
Disable Inactive Accounts |
Shared |
n/a |
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. |
link |
2 |
| FedRAMP_Moderate_R4 |
PS-4 |
FedRAMP_Moderate_R4_PS-4 |
FedRAMP Moderate PS-4 |
Personnel Security |
Personnel Termination |
Shared |
n/a |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].
Supplemental Guidance: Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6.
References: None. |
link |
5 |
| hipaa |
0701.07a1Organizational.12-07.a |
hipaa-0701.07a1Organizational.12-07.a |
0701.07a1Organizational.12-07.a |
07 Vulnerability Management |
0701.07a1Organizational.12-07.a 07.01 Responsibility for Assets |
Shared |
n/a |
An inventory of assets and services is maintained. |
|
7 |
| hipaa |
1109.01b1System.479-01.b |
hipaa-1109.01b1System.479-01.b |
1109.01b1System.479-01.b |
11 Access Control |
1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
User registration and deregistration, at a minimum: (i) communicates relevant policies to users and require acknowledgement (e.g., signed or captured electronically); (ii) checks authorization and minimum level of access necessary prior to granting access; (iii) ensures access is appropriate to the business needs (consistent with sensitivity/risk and does not violate segregation of duties requirements); (iv) addresses termination and transfer; (v) ensures default accounts are removed and/or renamed; (vi) removes or blocks critical access rights of users who have changed roles or jobs; and, (vii) automatically removes or disables inactive accounts. |
|
24 |
| hipaa |
11154.02i1Organizational.5-02.i |
hipaa-11154.02i1Organizational.5-02.i |
11154.02i1Organizational.5-02.i |
11 Access Control |
11154.02i1Organizational.5-02.i 02.04 Termination or Change of Employment |
Shared |
n/a |
Access rights to information assets and facilities is reduced or removed before the employment or other workforce arrangement terminates or changes, depending on the evaluation of risk factors. |
|
8 |
| hipaa |
11155.02i2Organizational.2-02.i |
hipaa-11155.02i2Organizational.2-02.i |
11155.02i2Organizational.2-02.i |
11 Access Control |
11155.02i2Organizational.2-02.i 02.04 Termination or Change of Employment |
Shared |
n/a |
The organization employs automated mechanisms to notify specific personnel or roles (formally defined by the organization) upon termination of an individual. |
|
10 |
| hipaa |
11220.01b1System.10-01.b |
hipaa-11220.01b1System.10-01.b |
11220.01b1System.10-01.b |
11 Access Control |
11220.01b1System.10-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
User registration and de-registration formally address establishing, activating, modifying, reviewing, disabling and removing accounts. |
|
26 |
| hipaa |
1135.02i1Organizational.1234-02.i |
hipaa-1135.02i1Organizational.1234-02.i |
1135.02i1Organizational.1234-02.i |
11 Access Control |
1135.02i1Organizational.1234-02.i 02.04 Termination or Change of Employment |
Shared |
n/a |
Upon termination or changes in employment for employees, contractors, third-party users, or other workforce arrangement, physical and logical access rights and associated materials (e.g., passwords, keycards, keys, documentation that identify them as current members of the organization) are removed or modified to restrict access within 24 hours and old accounts are closed after 90 days of opening new accounts. |
|
9 |
| hipaa |
1136.02i2Organizational.1-02.i |
hipaa-1136.02i2Organizational.1-02.i |
1136.02i2Organizational.1-02.i |
11 Access Control |
1136.02i2Organizational.1-02.i 02.04 Termination or Change of Employment |
Shared |
n/a |
For instances of increased risk, physical, and logical access rights are immediately removed or modified following employee, contractor or third-party user termination, and allow for immediate escorting from the site, if necessary. |
|
6 |
| ISO27001-2013 |
A.7.3.1 |
ISO27001-2013_A.7.3.1 |
ISO 27001:2013 A.7.3.1 |
Human Resources Security |
Termination or change of employment responsibilities |
Shared |
n/a |
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. |
link |
8 |
| ISO27001-2013 |
A.8.1.4 |
ISO27001-2013_A.8.1.4 |
ISO 27001:2013 A.8.1.4 |
Asset Management |
Return of assets |
Shared |
n/a |
All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement. |
link |
8 |
| ISO27001-2013 |
A.9.2.4 |
ISO27001-2013_A.9.2.4 |
ISO 27001:2013 A.9.2.4 |
Access Control |
Management of secret authentication information of users |
Shared |
n/a |
The allocation of secret authentication information shall be controlled through a formal management process. |
link |
21 |
| ISO27001-2013 |
A.9.3.1 |
ISO27001-2013_A.9.3.1 |
ISO 27001:2013 A.9.3.1 |
Access Control |
Use of secret authentication information |
Shared |
n/a |
Users shall be required to follow the organization's practices in the use of secret authentication information. |
link |
15 |
| ISO27001-2013 |
A.9.4.3 |
ISO27001-2013_A.9.4.3 |
ISO 27001:2013 A.9.4.3 |
Access Control |
Password management system |
Shared |
n/a |
Password management systems shall be interactive and shall ensure quality password. |
link |
22 |
|
mp.per.2 Duties and obligations |
mp.per.2 Duties and obligations |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-171_R2_3 |
.9.2 |
NIST_SP_800-171_R2_3.9.2 |
NIST SP 800-171 R2 3.9.2 |
Personnel Security |
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Protecting CUI during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, identification cards, system administration technical manuals, keys, and building passes. Exit interviews ensure that individuals who have been terminated understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics of interest at exit interviews can include reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and non-availability of supervisors. For termination actions, timely execution is essential for individuals terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals that are being terminated prior to the individuals being notified. This requirement applies to reassignments or transfers of individuals when the personnel action is permanent or of such extended durations as to require protection. Organizations define the CUI protections appropriate for the types of reassignments or transfers, whether permanent or extended. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing for access to official records to which individuals had access at previous work locations and in previous system accounts. |
link |
7 |
| NIST_SP_800-53_R4 |
AC-2(3) |
NIST_SP_800-53_R4_AC-2(3) |
NIST SP 800-53 Rev. 4 AC-2 (3) |
Access Control |
Disable Inactive Accounts |
Shared |
n/a |
The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. |
link |
2 |
| NIST_SP_800-53_R4 |
PS-4 |
NIST_SP_800-53_R4_PS-4 |
NIST SP 800-53 Rev. 4 PS-4 |
Personnel Security |
Personnel Termination |
Shared |
n/a |
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].
Supplemental Guidance: Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6.
References: None. |
link |
5 |
| NIST_SP_800-53_R5 |
AC-2(3) |
NIST_SP_800-53_R5_AC-2(3) |
NIST SP 800-53 Rev. 5 AC-2 (3) |
Access Control |
Disable Accounts |
Shared |
n/a |
Disable accounts within [Assignment: organization-defined time period] when the accounts:
(a) Have expired;
(b) Are no longer associated with a user or individual;
(c) Are in violation of organizational policy; or
(d) Have been inactive for [Assignment: organization-defined time period]. |
link |
2 |
| NIST_SP_800-53_R5 |
PS-4 |
NIST_SP_800-53_R5_PS-4 |
NIST SP 800-53 Rev. 5 PS-4 |
Personnel Security |
Personnel Termination |
Shared |
n/a |
Upon termination of individual employment:
a. Disable system access within [Assignment: organization-defined time period];
b. Terminate or revoke any authenticators and credentials associated with the individual;
c. Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieve all security-related organizational system-related property; and
e. Retain access to organizational information and systems formerly controlled by terminated individual. |
link |
5 |
|
op.acc.1 Identification |
op.acc.1 Identification |
404 not found |
|
|
|
n/a |
n/a |
|
66 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
64 |
|
op.acc.5 Authentication mechanism (external users) |
op.acc.5 Authentication mechanism (external users) |
404 not found |
|
|
|
n/a |
n/a |
|
72 |
|
op.exp.1 Asset inventory |
op.exp.1 Asset inventory |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
op.exp.10 Cryptographic key protection |
op.exp.10 Cryptographic key protection |
404 not found |
|
|
|
n/a |
n/a |
|
53 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
| PCI_DSS_v4.0 |
8.2.6 |
PCI_DSS_v4.0_8.2.6 |
PCI DSS v4.0 8.2.6 |
Requirement 08: Identify Users and Authenticate Access to System Components |
User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle |
Shared |
n/a |
Inactive user accounts are removed or disabled within 90 days of inactivity. |
link |
2 |
| SWIFT_CSCF_v2022 |
5.1 |
SWIFT_CSCF_v2022_5.1 |
SWIFT CSCF v2022 5.1 |
5. Manage Identities and Segregate Privileges |
Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. |
Shared |
n/a |
Accounts are defined according to the security principles of need-to-know access, least privilege, and separation of duties. |
link |
35 |