last sync: 2024-Nov-25 18:54:24 UTC

Observe and report security weaknesses | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Observe and report security weaknesses
Id ff136354-1c92-76dc-2dab-80fb7c6a9f1a
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0384 - Observe and report security weaknesses
Additional metadata Name/Id: CMA_0384 / CMA_0384
Category: Operational
Title: Observe and report security weaknesses
Ownership: Customer
Description: Microsoft recommends that your organization implement a mechanism to allow employees and contractors to report information system or service weaknesses. It is not recommended that your employees and contractors are test the weakness without proper authorization to prevent potential misuse or damage to the system, which can cause legal liability for the individual. Your organization should also consider requiring personnel to report suspected security incidents to the organizational incident response capability within a timely manner.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 14 compliance controls are associated with this Policy definition 'Observe and report security weaknesses' (ff136354-1c92-76dc-2dab-80fb7c6a9f1a)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 RA-5(6) FedRAMP_High_R4_RA-5(6) FedRAMP High RA-5 (6) Risk Assessment Automated Trend Analyses Shared n/a The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. Supplemental Guidance: Related controls: IR-4, IR-5, SI-4. link 5
FedRAMP_Moderate_R4 RA-5(6) FedRAMP_Moderate_R4_RA-5(6) FedRAMP Moderate RA-5 (6) Risk Assessment Automated Trend Analyses Shared n/a The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. Supplemental Guidance: Related controls: IR-4, IR-5, SI-4. link 5
hipaa 0201.09j1Organizational.124-09.j hipaa-0201.09j1Organizational.124-09.j 0201.09j1Organizational.124-09.j 02 Endpoint Protection 0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code Shared n/a Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. 14
hipaa 0217.09j2Organizational.10-09.j hipaa-0217.09j2Organizational.10-09.j 0217.09j2Organizational.10-09.j 02 Endpoint Protection 0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code Shared n/a The organization configures malicious code and spam protection mechanisms to (i) perform periodic scans of the information system according to organization guidelines; (ii) perform real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and, (iii) block malicious code, quarantine malicious code, or send an alert to the administrator in response to malicious code detection. 25
hipaa 0711.10m2Organizational.23-10.m hipaa-0711.10m2Organizational.23-10.m 0711.10m2Organizational.23-10.m 07 Vulnerability Management 0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management Shared n/a A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems. 4
hipaa 0714.10m2Organizational.7-10.m hipaa-0714.10m2Organizational.7-10.m 0714.10m2Organizational.7-10.m 07 Vulnerability Management 0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management Shared n/a The technical vulnerability management program is evaluated on a quarterly basis. 19
hipaa 0717.10m3Organizational.2-10.m hipaa-0717.10m3Organizational.2-10.m 0717.10m3Organizational.2-10.m 07 Vulnerability Management 0717.10m3Organizational.2-10.m 10.06 Technical Vulnerability Management Shared n/a Vulnerability scanning tools include the capability to readily update the information system vulnerabilities scanned. 2
hipaa 0718.10m3Organizational.34-10.m hipaa-0718.10m3Organizational.34-10.m 0718.10m3Organizational.34-10.m 07 Vulnerability Management 0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management Shared n/a The organization scans for vulnerabilities in the information system and hosted applications to determine the state of flaw remediation monthly (automatically), and again (manually or automatically) when new vulnerabilities potentially affecting the systems and networked environments are identified and reported. 4
hipaa 0719.10m3Organizational.5-10.m hipaa-0719.10m3Organizational.5-10.m 0719.10m3Organizational.5-10.m 07 Vulnerability Management 0719.10m3Organizational.5-10.m 10.06 Technical Vulnerability Management Shared n/a The organization updates the list of information system vulnerabilities scanned within every 30 days or when new vulnerabilities are identified and reported. 3
hipaa 0790.10m3Organizational.22-10.m hipaa-0790.10m3Organizational.22-10.m 0790.10m3Organizational.22-10.m 07 Vulnerability Management 0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management Shared n/a The organization reviews historic audit logs to determine if high vulnerability scan findings identified in the information system have been previously exploited. 17
NIST_SP_800-53_R4 RA-5(6) NIST_SP_800-53_R4_RA-5(6) NIST SP 800-53 Rev. 4 RA-5 (6) Risk Assessment Automated Trend Analyses Shared n/a The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. Supplemental Guidance: Related controls: IR-4, IR-5, SI-4. link 5
NIST_SP_800-53_R5 RA-5(6) NIST_SP_800-53_R5_RA-5(6) NIST SP 800-53 Rev. 5 RA-5 (6) Risk Assessment Automated Trend Analyses Shared n/a Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms]. link 5
SWIFT_CSCF_v2022 2.7 SWIFT_CSCF_v2022_2.7 SWIFT CSCF v2022 2.7 2. Reduce Attack Surface and Vulnerabilities Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. Shared n/a Secure zone (including dedicated operator PC) systems are scanned for vulnerabilities using an up-to-date, reputable scanning tool and results are considered for appropriate resolving actions. link 14
SWIFT_CSCF_v2022 6.1 SWIFT_CSCF_v2022_6.1 SWIFT CSCF v2022 6.1 6. Detect Anomalous Activity to Systems or Transaction Records Ensure that local SWIFT infrastructure is protected against malware and act upon results. Shared n/a Anti-malware software from a reputable vendor is installed, kept up-to-date on all systems, and results are considered for appropriate resolving actions. link 29
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add ff136354-1c92-76dc-2dab-80fb7c6a9f1a
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC