last sync: 2024-Oct-07 17:51:17 UTC

Implement privacy notice delivery methods | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Implement privacy notice delivery methods
Id 06f84330-4c27-21f7-72cd-7488afd50244
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0324 - Implement privacy notice delivery methods
Additional metadata Name/Id: CMA_0324 / CMA_0324
Category: Operational
Title: Implement privacy notice delivery methods
Ownership: Customer
Description: Microsoft recommends that your organization establish at least one delivery method for providing privacy notices. The following list includes examples of the most common delivery methods: - Hand-delivered printed copy of the notice to the consumer - Mailed printed copy of the notice to the last known address of the consumer - For the consumer who conducts transactions electronically, clearly, and conspicuously posted notice on the electronic site and requirement for the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service - For an isolated transaction with the consumer, such as an ATM transaction, licensee providing an insurance quote, or selling the consumer travel insurance, posted notice and requirement for the consumer to acknowledge receipt of the notice as a necessary step to obtaining the product or service - For a data subject or an authorized delegate with disabilities, notice in specialized formats such as audio files, braille-compatible notice, or use other assistive technologies - For a non-English speaking data subject or an authorized delegate, notice in primary or home language - For multiple data subjects, if it's a challenge to send notice to each data subject, alternate delivery methods (broad-based national newspapers, local newspapers or magazines, internet webpage, posters) may be used It is not recommended to provide any notice required solely by orally explaining the notice, either in person or over the telephone. If your organization is providing short-form initial notice for non-customers, it is recommended your organization provide a simple means to consumers for obtaining that notice.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 29 compliance controls are associated with this Policy definition 'Implement privacy notice delivery methods' (06f84330-4c27-21f7-72cd-7488afd50244)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 1201.06e1Organizational.2-06.e hipaa-1201.06e1Organizational.2-06.e 1201.06e1Organizational.2-06.e 12 Audit Logging & Monitoring 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements Shared n/a The organization provides notice that the employee's actions may be monitored, and that the employee consents to such monitoring. 12
hipaa 1902.06d1Organizational.2-06.d hipaa-1902.06d1Organizational.2-06.d 1902.06d1Organizational.2-06.d 19 Data Protection & Privacy 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements Shared n/a When required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization. 11
hipaa 19243.06d1Organizational.15-06.d hipaa-19243.06d1Organizational.15-06.d 19243.06d1Organizational.15-06.d 19 Data Protection & Privacy 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization specifies where covered information can be stored. 9
ISO27001-2013 A.10.1.1 ISO27001-2013_A.10.1.1 ISO 27001:2013 A.10.1.1 Cryptography Policy on the use of cryptographic controls Shared n/a A policy on the use of cryptographic controls for protection of information shall be developed and implemented. link 17
ISO27001-2013 A.13.2.2 ISO27001-2013_A.13.2.2 ISO 27001:2013 A.13.2.2 Communications Security Agreements on information transfer Shared n/a Agreements shall address the secure transfer of business information between the organization and external parties. link 11
ISO27001-2013 A.7.1.2 ISO27001-2013_A.7.1.2 ISO 27001:2013 A.7.1.2 Human Resources Security Terms and conditions of employment Shared n/a The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. link 24
mp.info.3 Electronic signature mp.info.3 Electronic signature 404 not found n/a n/a 40
mp.per.1 Job characterization mp.per.1 Job characterization 404 not found n/a n/a 41
mp.per.2 Duties and obligations mp.per.2 Duties and obligations 404 not found n/a n/a 40
mp.s.1 E-mail protection mp.s.1 E-mail protection 404 not found n/a n/a 48
mp.si.2 Cryptography mp.si.2 Cryptography 404 not found n/a n/a 32
mp.si.4 Transport mp.si.4 Transport 404 not found n/a n/a 24
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.ext.1 Contracting and service level agreements op.ext.1 Contracting and service level agreements 404 not found n/a n/a 35
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 50
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
PCI_DSS_v4.0 3.3.1 PCI_DSS_v4.0_3.3.1 PCI DSS v4.0 3.3.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.1 PCI_DSS_v4.0_3.3.1.1 PCI DSS v4.0 3.3.1.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The full contents of any track are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.2 PCI_DSS_v4.0_3.3.1.2 PCI DSS v4.0 3.3.1.2 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The card verification code is not retained upon completion of the authorization process. link 5
PCI_DSS_v4.0 3.3.1.3 PCI_DSS_v4.0_3.3.1.3 PCI DSS v4.0 3.3.1.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.3 PCI_DSS_v4.0_3.3.3 PCI DSS v4.0 3.3.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is: • Limited to that which is needed for a legitimate issuing business need and is secured. • Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. link 13
PCI_DSS_v4.0 3.4.1 PCI_DSS_v4.0_3.4.1 PCI DSS v4.0 3.4.1 Requirement 03: Protect Stored Account Data Access to displays of full PAN and ability to copy cardholder data are restricted Shared n/a PAN is masked when displayed (the BIN and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN. link 3
PCI_DSS_v4.0 3.4.2 PCI_DSS_v4.0_3.4.2 PCI DSS v4.0 3.4.2 Requirement 03: Protect Stored Account Data Access to displays of full PAN and ability to copy cardholder data are restricted Shared n/a When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need. link 3
SOC_2 CC2.3 SOC_2_CC2.3 SOC 2 Type 2 CC2.3 Communication and Information COSO Principle 15 Shared The customer is responsible for implementing this recommendation. Communicates to External Parties — Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. • Enables Inbound Communications — Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. • Communicates With the Board of Directors — Relevant information resulting from assessments conducted by external parties is communicated to the board of directors. • Provides Separate Communication Lines — Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. • Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. Additional point of focus that applies only to an engagement using the trust services criteria for confidentiality: • Communicates Objectives Related to Confidentiality and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality.Page 20 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS Additional point of focus that applies only to an engagement using the trust services criteria for privacy: • Communicates Objectives Related to Privacy and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: • Communicates Information About System Operation and Boundaries — The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. • Communicates System Objectives — The entity communicates its system objectives to appropriate external users. • Communicates System Responsibilities — External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities. • Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters — External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel. 14
SOC_2 P1.1 SOC_2_P1.1 SOC 2 Type 2 P1.1 Additional Criteria For Privacy Privacy notice Shared The customer is responsible for implementing this recommendation. • Communicates to Data Subjects — Notice is provided to data subjects regarding the following: — Purpose for collecting personal information — Choice and consent — Types of personal information collected — Methods of collection (for example, use of cookies or other tracking techniques) — Use, retention, and disposal — Access — Disclosure to third parties — Security for privacy — Quality, including data subjects’ responsibilities for quality — Monitoring and enforcement • Provides Notice to Data Subjects — Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously identified. • Covers Entities and Activities in Notice — An objective description of the entities and activities covered is included in the entity’s privacy notice. • Uses Clear and Conspicuous Language — The entity’s privacy notice is conspicuous and uses clear language. 5
SOC_2 P2.1 SOC_2_P2.1 SOC 2 Type 2 P2.1 Additional Criteria For Privacy Privacy consent Shared The customer is responsible for implementing this recommendation. • Communicates to Data Subjects — Data subjects are informed (a) about the choices available to them with respect to the collection, use, and disclosure of personal information and (b) that implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or allows otherwise. • Communicates Consequences of Denying or Withdrawing Consent — When personal information is collected, data subjects are informed of the consequences of refusing to provide personal information or denying or withdrawing consent to use personal information for purposes identified in the notice. • Obtains Implicit or Explicit Consent — Implicit or explicit consent is obtained from data subjects at or before the time personal information is collected or soon there-after. The individual’s preferences expressed in his or her consent are confirmed and implemented. • Documents and Obtains Consent for New Purposes and Uses — If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose. • Obtains Explicit Consent for Sensitive Information — Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise. • Obtains Consent for Data Transfers — Consent is obtained before personal information is transferred to or from an individual’s computer or other similar device. 4
SOC_2 P4.1 SOC_2_P4.1 SOC 2 Type 2 P4.1 Additional Criteria For Privacy Personal information use Shared The customer is responsible for implementing this recommendation. • Uses Personal Information for Intended Purposes — Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained, unless a law or regulation specifically requires otherwise. 5
SOC_2 P6.7 SOC_2_P6.7 SOC 2 Type 2 P6.7 Additional Criteria For Privacy Accounting of disclosure of personal information Shared The customer is responsible for implementing this recommendation. • Identifies Types of Personal Information and Handling Process — The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified. • Captures, Identifies, and Communicates Requests for Information — Requests for an accounting of personal information held and disclosures of the data subjects’ personal information are captured and information related to the requests is identified and communicated to data subjects to meet the entity’s objectives related to privacy. 5
SOC_2 PI1.1 SOC_2_PI1.1 SOC 2 Type 2 PI1.1 Additional Criteria For Processing Integrity Data processing definitions Shared The customer is responsible for implementing this recommendation. • Identifies Information Specifications — The entity identifies information specifications required to support the use of products and services. • Defines Data Necessary to Support a Product or Service — When data is provided as part of a service or product or as part of a reporting obligation related to a product or service: 1. The definition of the data is available to the users of the data 2. The definition of the data includes the following information: a. The population of events or instances included in the data b. The nature of each element (for example, field) of the data (that is, the event or instance to which the data element relates, for example, transaction price of a sale of XYZ Corporation stock for the last trade in that stock on a given day) c. Source(s) of the data d. The unit(s) of measurement of data elements (for example, fields) e. The accuracy/correctness/precision of measurement f. The uncertainty or confidence interval inherent in each data element and in the population of those elements g. The date the data was observed or the period of time during which the events relevant to the data occurred h. The factors in addition to the date and period of time used to determine the inclusion and exclusion of items in the data elements and population 3. The definition is complete and accurate. 4. The description of the data identifies any information that is necessary to understand each data element and the population in a manner consistent with its definition and intended purpose (metadata) that has not been included within the data. The following point of focus, which applies only to an engagement using the trust services criteria for processing integrity for a system that produces, manufactures, or distributes products, highlights important characteristics relating to this criterion: • Defines Information Necessary to Support the Use of a Good or Product — When information provided by the entity is needed to use the good or product in accordance with its specifications: 1. The required information is available to the user of the good or product. 2. The required information is clearly identifiable. 3. The required information is validated for completeness and accuracy 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 06f84330-4c27-21f7-72cd-7488afd50244
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC