AzPolicyAdvertizer

last sync: 2024-May-17 18:03:56 UTC

Facilitate information sharing | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Facilitate information sharing
Id a44c9fba-43f8-4b7b-7ee6-db52c96b4366
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0284 - Facilitate information sharing
Additional metadata Name/Id: CMA_0284 / CMA_0284
Category: Operational
Title: Facilitate information sharing
Ownership: Customer
Description: Microsoft recommends that your organization facilitate information sharing by enabling authorized users to determine whether access authorizations assigned to any sharing partner match the access restrictions on the information based on your organizations privacy and security requirements. Your organization should consider creating and maintaining Access Control policies and standard operating procedures that include details for how authorized users can determine whether access authorizations assigned to any sharing partner match the access restrictions on the information. Microsoft recommends that your organization determine the conditions where personally identifiable information may be disclosed to external sources without prior consent. These conditions may include, but are not limited to: - To support an on-going legal investigation - To provide information to parents or legal guardians in the case of minors - In health and safety emergencies. The UK's Data Protection Act of 2018 requires controllers who transfer personal data within the United Kingdom to another competent authority to inform the EU recipient or non-EU recipient that the data is transmitted.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 6 compliance controls are associated with this Policy definition 'Facilitate information sharing' (a44c9fba-43f8-4b7b-7ee6-db52c96b4366)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AC-21 FedRAMP_High_R4_AC-21 FedRAMP High AC-21 Access Control Information Sharing Shared n/a The organization: a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.   Supplemental Guidance: This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3. References: None. link 2
FedRAMP_Moderate_R4 AC-21 FedRAMP_Moderate_R4_AC-21 FedRAMP Moderate AC-21 Access Control Information Sharing Shared n/a The organization: a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.   Supplemental Guidance: This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3. References: None. link 2
hipaa 0209.09m3Organizational.7-09.m hipaa-0209.09m3Organizational.7-09.m 0209.09m3Organizational.7-09.m 02 Endpoint Protection 0209.09m3Organizational.7-09.m 09.06 Network Security Management Shared n/a File sharing is disabled on wireless-enabled devices. 6
hipaa 0306.09q1Organizational.3-09.q hipaa-0306.09q1Organizational.3-09.q 0306.09q1Organizational.3-09.q 03 Portable Media Security 0306.09q1Organizational.3-09.q 09.07 Media Handling Shared n/a The status and location of unencrypted covered information is maintained and monitored. 6
NIST_SP_800-53_R4 AC-21 NIST_SP_800-53_R4_AC-21 NIST SP 800-53 Rev. 4 AC-21 Access Control Information Sharing Shared n/a The organization: a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.   Supplemental Guidance: This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3. References: None. link 2
NIST_SP_800-53_R5 AC-21 NIST_SP_800-53_R5_AC-21 NIST SP 800-53 Rev. 5 AC-21 Access Control Information Sharing Shared n/a a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information???s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions. link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add a44c9fba-43f8-4b7b-7ee6-db52c96b4366
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC