Policy

---

Overview

Tier0 and Enterprise Information Security work together to create the regulatory and security compliance policy as per the state government standards.

The policies help to enforce adherence to the minimally required security measures, assisting teams in meeting those criteria right away and giving them a simple way to detect and swiftly fix any serious findings.

We provision the subscription with the said policies so that the subscription is protected from the regulatory compliances.

The purpose of these policies is to identify any resource in the environment that is not complying with the policies, and upon identification these vulnerabilities and non-compliances can be fixed by the respective owner of the resources.

Detailed Description

Policies are implemented on all SGS Azure Subscriptions to assure compliance with Optum standards, to enforce SGS governance and to meet compliance requirements for customers. Each client or subscription will be affected by multiple policies. The result is the most restrictive combination of policies applied, assuring that compliance goals are met.

Tier0 deploys policies in multiple locations in the Azure infrastructure.

• Management Groups Policies used to enforce compliance frameworks and Optum security requirements.
• Resource Groups Policies that impact governance required for administration of the Azure environments and resources.
• Subscriptions Policies will be applied to client-specific subscriptions only when required by client contracts. These policies will be applied and enforced by client delivery teams.
  

The detailed information on the applicailitiy of different policies can be found individually.

• Centralized Logging Policies .
• HCC Policies .
• Launchpad Policies

Apart from the user defined policies, there are two set of built-in policies in Azure. These are more of vulnerabilities:

• NIST Cyber Security Framework(CSF) is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risks. Each control within the CSF is mapped to corresponding NIST 800-53 controls.
• FedRAMP In Process indicates a Cyber Security Policy (CSP) is actively working towards FedRAMP Authorization through the Agency Authorization processes.

Benefits and Business Case

• Government policies compliant.
• Proactive security measures.
• Cloud policy management and security maintenance at a large scale.
• Real time enforcement of policies and evaluation.
• System generated alerts for non-complaint and vulnerable resources for quick action.

Responsibilities

As the non-compliance and vulnerabilities are categorized based on subscription, after the handover, both Tier0 and Client will have to fix there own non-compliances and vulnerabilities

Tier0

• To fix all the non-compliance and vulnerabilities identified on Tier0 resources.

Client

• To fix all the non-compliance and vulnerabilities identified on application resources.