Pre-configured Policies
|
Policy (concept) feature
This page describes Policy (concept) midPoint feature.
Please see the feature page for more details.
|
Default midPoint configuration includes pre-packaged polices, in a ready-to-use form. Following polices are included in midPoint initial objects:
| Policy | Applied to | When violated | Description |
|---|---|---|---|
|
Archetypes |
Applies mark |
Requires that all archetyped objects have at least one owner. |
|
Archetypes |
Applies mark |
Requires that all archetyped objects have a classification. |
The policies can be used by assigning them to objects specified in the Applied to column above.
E.g. the Require owner policy can be applied by assigning this policy to the Application archetype, which sets the requirement that all applications must have at least one owner.
| Affected objects have to be explicitly recomputed after the policy is applied for the policy to take effect. |
Limitations
-
The policies can be applied only to selected set of objects. Currently, the policies are designed to be applied to archetypes, not individual objects (applications, roles). This could be improved in future midPoint versions.
Compliance
This feature is related to the following compliance frameworks:
-
ISO/IEC 27001 5.2: Information security roles and responsibilities
-
ISO/IEC 27001 5.10: Acceptable use of information and other associated assets
-
ISO/IEC 27001 5.19: Information security in supplier relationships
-
ISO/IEC 27001 5.20: Addressing information security within supplier agreements
-
ISO/IEC 27001 5.21: Managing information security in the ICT supply chain
-
ISO/IEC 27001 5.22: Monitoring, review and change management of supplier services
-
ISO/IEC 27001 5.23: Information security for use of cloud services
-
ISO/IEC 27001 5.26: Response to information security incidents
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements
-
ISO/IEC 27001 5.36: Compliance with policies, rules and standards for information security
-
ISO/IEC 27001 6.3: Information security awareness, education and training
-
ISO/IEC 27001 6.5: Responsibilities after termination or change of employment
-
ISO/IEC 27001 6.6: Confidentiality or non-disclosure agreements
-
ISO/IEC 27001 8.19: Installation of software on operational systems