last sync: 2024-May-24 18:03:04 UTC

Maintain data breach records | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Maintain data breach records
Id 0fd1ca29-677b-2f12-1879-639716459160
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0351 - Maintain data breach records
Additional metadata Name/Id: CMA_0351 / CMA_0351
Category: Operational
Title: Maintain data breach records
Ownership: Customer
Description: Microsoft recommends that your organization maintain all necessary and required records related to a personal data breach, including details related to the breach, its consequences, and the required mitigation action taken. Different regulations require organizations to determine if breach notification is necessary and to maintain this determination in writing. *Regulations that require that this information is maintained for 24 months include:* - Canada's Breach of Security Safeguards. *Regulations that require that this information is maintained for three years include:* - Code of Maryland State Government's Protection of Information by Government Agencies - Maryland Personal Information Protection Act - Security Breach Notification Requirements, HB 1154 - South Dakota Notice of Breach, Chapter 22-40-20 to 22-40-26. *Regulations that require that this information is maintained for five years include:* - Alaska's Personal Information Act - Florida's Title XXXII, Chapter 501, Section 501.171, Security of Confidential Personal Information - Iowa's Title XVI, Chapter 715C, Personal Information Security Breach Protection - New Jersey Security Breach Disclosure - New York General Business Law Chapter 20, Article 39-F, Section 899-aa, Section 899-bb - Oregon Consumer Identity Theft Information Protection Act.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 16 compliance controls are associated with this Policy definition 'Maintain data breach records' (0fd1ca29-677b-2f12-1879-639716459160)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 IR-8 FedRAMP_High_R4_IR-8 FedRAMP High IR-8 Incident Response Incident Response Plan Shared n/a The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan [Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification. Supplemental Guidance: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. Control Enhancements: None. References: NIST Special Publication 800-61. link 6
FedRAMP_Moderate_R4 IR-8 FedRAMP_Moderate_R4_IR-8 FedRAMP Moderate IR-8 Incident Response Incident Response Plan Shared n/a The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan [Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification. Supplemental Guidance: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. Control Enhancements: None. References: NIST Special Publication 800-61. link 6
hipaa 1505.11a1Organizational.13-11.a hipaa-1505.11a1Organizational.13-11.a 1505.11a1Organizational.13-11.a 15 Incident Management 1505.11a1Organizational.13-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a A formal security incident response program has been established to respond, report (without fear of repercussion), escalate and treat breaches and reported security events or incidents. Organization-wide standards are specified for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting includes notifying internal and external stakeholders, the appropriate community Computer Emergency Response Team, and law enforcement agencies in accordance with all legal or regulatory requirements for involving such organizations in computer incidents. 19
hipaa 1509.11a2Organizational.236-11.a hipaa-1509.11a2Organizational.236-11.a 1509.11a2Organizational.236-11.a 15 Incident Management 1509.11a2Organizational.236-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a The incident management program formally defines information security incidents and the phases of incident response; roles and responsibilities; incident handling, reporting and communication processes; third-party relationships and the handling of third-party breaches; and the supporting forensics program. The organization formally assigns job titles and duties for handling computer and network security incidents to specific individuals and identifies management personnel who will support the incident handling process by acting in key decision-making roles. 17
hipaa 1510.11a2Organizational.47-11.a hipaa-1510.11a2Organizational.47-11.a 1510.11a2Organizational.47-11.a 15 Incident Management 1510.11a2Organizational.47-11.a 11.01 Reporting Information Security Incidents and Weaknesses Shared n/a Reports and communications are made without unreasonable delay and no later than 60 days after the discovery of an incident, unless otherwise stated by law enforcement orally or in writing, and include the necessary elements. 11
hipaa 1516.11c1Organizational.12-11.c hipaa-1516.11c1Organizational.12-11.c 1516.11c1Organizational.12-11.c 15 Incident Management 1516.11c1Organizational.12-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a The security incident response program accounts for and prepares the organization for a variety of incidents. 10
hipaa 1517.11c1Organizational.3-11.c hipaa-1517.11c1Organizational.3-11.c 1517.11c1Organizational.3-11.c 15 Incident Management 1517.11c1Organizational.3-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a There is a point of contact who is responsible for coordinating incident responses and has the authority to direct actions required in all phases of the incident response process. 6
hipaa 1520.11c2Organizational.4-11.c hipaa-1520.11c2Organizational.4-11.c 1520.11c2Organizational.4-11.c 15 Incident Management 1520.11c2Organizational.4-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a The incident response plan is communicated to the appropriate individuals throughout the organization. 8
hipaa 1560.11d1Organizational.1-11.d hipaa-1560.11d1Organizational.1-11.d 1560.11d1Organizational.1-11.d 15 Incident Management 1560.11d1Organizational.1-11.d 11.02 Management of Information Security Incidents and Improvements Shared n/a The information gained from the evaluation of information security incidents is used to identify recurring or high-impact incidents, and update the incident response and recovery strategy. 8
hipaa 1587.11c2Organizational.10-11.c hipaa-1587.11c2Organizational.10-11.c 1587.11c2Organizational.10-11.c 15 Incident Management 1587.11c2Organizational.10-11.c 11.02 Management of Information Security Incidents and Improvements Shared n/a The incident management plan is reviewed and updated annually. 9
ISO27001-2013 A.16.1.1 ISO27001-2013_A.16.1.1 ISO 27001:2013 A.16.1.1 Information Security Incident Management Responsibilities and procedures Shared n/a Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. link 7
NIST_SP_800-53_R4 IR-8 NIST_SP_800-53_R4_IR-8 NIST SP 800-53 Rev. 4 IR-8 Incident Response Incident Response Plan Shared n/a The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan [Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification. Supplemental Guidance: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. Control Enhancements: None. References: NIST Special Publication 800-61. link 6
NIST_SP_800-53_R5 IR-8 NIST_SP_800-53_R5_IR-8 NIST SP 800-53 Rev. 5 IR-8 Incident Response Incident Response Plan Shared n/a a. Develop an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; 8. Addresses the sharing of incident information; 9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]; and 10. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel, or roles]. b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing; d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and e. Protect the incident response plan from unauthorized disclosure and modification. link 6
org.2 Security regulations org.2 Security regulations 404 not found n/a n/a 100
PCI_DSS_v4.0 12.10.2 PCI_DSS_v4.0_12.10.2 PCI DSS v4.0 12.10.2 Requirement 12: Support Information Security with Organizational Policies and Programs Suspected and confirmed security incidents that could impact the CDE are responded to immediately Shared n/a At least once every 12 months, the security incident response plan is: • Reviewed and the content is updated as needed. • Tested, including all elements listed in Requirement 12.10.1. link 6
SWIFT_CSCF_v2022 11.2 SWIFT_CSCF_v2022_11.2 SWIFT CSCF v2022 11.2 11. Monitor in case of Major Disaster Ensure a consistent and effective approach for the management of incidents (Problem Management). Shared n/a Ensure a consistent and effective approach for the management of incidents (Problem Management). link 20
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 0fd1ca29-677b-2f12-1879-639716459160
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC