CMA_C1750 - Determine information protection needs
Additional metadata
Name/Id: CMA_C1750 / CMA_C1750 Category: Documentation Title: Determine information protection needs Ownership: Customer Description: The customer is responsible for determining information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained Requirements: The customer is responsible for implementing this recommendation.
Mode
All
Type
BuiltIn
Preview
False
Deprecated
False
Effect
Default Manual Allowed Manual, Disabled
RBAC role(s)
none
Rule aliases
none
Rule resource types
IF (1) Microsoft.Resources/subscriptions
Compliance
The following 4 compliance controls are associated with this Policy definition 'Determine information protection needs' (dbcef108-7a04-38f5-8609-99da110a2a57)
0811.01n2Organizational.6-01.n 01.04 Network Access Control
Shared
n/a
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need.
The customer is responsible for implementing this recommendation.
• Reflects Management's Choices — Operations objectives reflect management's
choices about structure, industry considerations, and performance of the entity.
• Considers Tolerances for Risk — Management considers the acceptable levels of
variation relative to the achievement of operations objectives.
• Includes Operations and Financial Performance Goals — The organization reflects
the desired level of operations and financial performance for the entity within operations objectives.
• Forms a Basis for Committing of Resources — Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance.
External Financial Reporting Objectives
• Complies With Applicable Accounting Standards — Financial reporting objectives
are consistent with accounting principles suitable and available for that entity. The
accounting principles selected are appropriate in the circumstances.
• Considers Materiality — Management considers materiality in financial statement
presentation.
• Reflects Entity Activities — External reporting reflects the underlying transactions
and events to show qualitative characteristics and assertions.
External Nonfinancial Reporting Objectives
• Complies With Externally Established Frameworks — Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations.
• Considers the Required Level of Precision — Management reflects the required
level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting.
• Reflects Entity Activities — External reporting reflects the underlying transactions
and events within a range of acceptable limits.
Internal Reporting Objectives
• Reflects Management's Choices — Internal reporting provides management with
accurate and complete information regarding management's choices and information Page 22
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
needed in managing the entity.
• Considers the Required Level of Precision — Management reflects the required
level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives.
• Reflects Entity Activities — Internal reporting reflects the underlying transactions
and events within a range of acceptable limits.
Compliance Objectives
• Reflects External Laws and Regulations — Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives.
• Considers Tolerances for Risk — Management considers the acceptable levels of
variation relative to the achievement of operations objectives
The customer is responsible for implementing this recommendation.
Points of focus specified in the COSO framework:
• Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels — The
entity identifies and assesses risk at the entity, subsidiary, division, operating unit,
and functional levels relevant to the achievement of objectives.
• Analyzes Internal and External Factors — Risk identification considers both internal
and external factors and their impact on the achievement of objectives.
• Involves Appropriate Levels of Management — The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management.
• Estimates Significance of Risks Identified — Identified risks are analyzed through a
process that includes estimating the potential significance of the risk.
• Determines How to Respond to Risks — Risk assessment includes considering how
the risk should be managed and whether to accept, avoid, reduce, or share the risk.
Additional points of focus specifically related to all engagements using the trust services criteria:
• Identifies and Assesses Criticality of Information Assets and Identifies Threats and
Vulnerabilities — The entity's risk identification and assessment process includes
(1) identifying information assets, including physical devices and systems, virtual
devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying
the threats to the assets from intentional (including malicious) and unintentional
acts and environmental events; and (4) identifying the vulnerabilities of the identified assets.
• Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other
Parties — The entity's risk assessment process includes the analysis of potential
threats and vulnerabilities arising from vendors providing goods and services, as
well as threats and vulnerabilities arising from business partners, customers, and
others with access to the entity's information systems.
• Considers the Significance of the Risk — The entity’s consideration of the potential
significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and
vulnerabilities in meeting objectives; (3) assessing the likelihood of identified
threats; and (4) determining the risk associated with assets based on asset criticality, threat impact, and likelihood.
The customer is responsible for implementing this recommendation.
• Considers Mitigation of Risks of Business Disruption — Risk mitigation activities
include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security
events that disrupt business operations. Those policies and procedures include monitoring processes, information, and communications to meet the entity's objectives
during response, mitigation, and recovery efforts.
• Considers the Use of Insurance to Mitigate Financial Impact Risks — The risk
management activities consider the use of insurance to offset the financial impact of
loss events that would otherwise impair the ability of the entity to meet its objectives