AzPolicyAdvertizer

last sync: 2023-Dec-05 19:46:27 UTC

Azure Policy definition

Information security and personal data protection | Regulatory Compliance - Operational

Source

Azure Portal

Display name

Information security and personal data protection

34738025-5925-51f9-1081-f2d0060133ed

Version

1.1.0
Details on versioning

Category

Regulatory Compliance
Microsoft Learn

Description

CMA_0332 - Information security and personal data protection

Additional metadata

Name/Id: CMA_0332 / CMA_0332
Category: Operational
Title: Information security and personal data protection
Ownership: Customer
Description: Microsoft recommends that your organization's privacy program manage the risks to individuals that may result from the creation, collection, use, and retention of PII, the inadequate quality or integrity of PII, and the lack of appropriate notice, transparency, or participation. Microsoft suggests that your organizations' privacy programs should select, implement, assess, and monitor privacy controls to help ensure compliance with applicable privacy requirements and to manage privacy risks raised from authorized and unauthorized processing of PII. It is advisable to continuously monitor the privacy posture across the organization and the effectiveness of controls implemented within or inherited by organizational systems on an ongoing basis. In addition, Microsoft recommends that your organization determine the requirements for information security and personal data protection. Specifically, how the organization's information systems are designed and engineered to protect personal data. If the organizations is using third-party information systems, such as a cloud service, the organization may be responsible for ensuring that sufficient protections have been considered and implemented. Further, the organization is responsible for determining which technical and security measures are appropriate for the organization and ensuring the implementation of the necessary safeguards for the protection of personal data and data subject rights. Microsoft recommends that your organization create and maintain Information Security policies and standard operating procedures (SOPs) that document the organization's information system security requirements, inclusive of details on how the information systems used by the organization meets those requirements. Provided the objectives of the information security and privacy programs align, Microsoft recommends the organization consider how to best promote and institutionalize collaboration.
Requirements: The customer is responsible for implementing this recommendation.

Mode

All

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Manual
Allowed
Manual, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (1)
Microsoft.Resources/subscriptions

Compliance

The following 6 compliance controls are associated with this Policy definition 'Information security and personal data protection' (34738025-5925-51f9-1081-f2d0060133ed)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Policy#
hipaa	1787.10a2Organizational.1-10.a	hipaa-1787.10a2Organizational.1-10.a	1787.10a2Organizational.1-10.a	17 Risk Management	1787.10a2Organizational.1-10.a 10.01 Security Requirements of Information Systems	Shared	n/a	Information security and privacy are addressed in all phases of the project management methodology.	5
hipaa	19134.05j1Organizational.5-05.j	hipaa-19134.05j1Organizational.5-05.j	19134.05j1Organizational.5-05.j	19 Data Protection & Privacy	19134.05j1Organizational.5-05.j 05.02 External Parties	Shared	n/a	The public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official.	12
hipaa	19243.06d1Organizational.15-06.d	hipaa-19243.06d1Organizational.15-06.d	19243.06d1Organizational.15-06.d	19 Data Protection & Privacy	19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements	Shared	n/a	The organization specifies where covered information can be stored.	9
SOC_2	P6.5	SOC_2_P6.5	SOC 2 Type 2 P6.5	Additional Criteria For Privacy	Third party unauthorized disclosure notification	Shared	The customer is responsible for implementing this recommendation.	• Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. • Reports Actual or Suspected Unauthorized Disclosures — A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information.	12
SOC_2	P6.6	SOC_2_P6.6	SOC 2 Type 2 P6.6	Additional Criteria For Privacy	Privacy incident notification	Shared	The customer is responsible for implementing this recommendation.	• Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. • Provides Notice of Breaches and Incidents — The entity has a process for providing notice of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy.	2
SOC_2	P8.1	SOC_2_P8.1	SOC 2 Type 2 P8.1	Additional Criteria For Privacy	Privacy complaint management and compliance management	Shared	The customer is responsible for implementing this recommendation.	• Communicates to Data Subjects — Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes. • Addresses Inquiries, Complaints, and Disputes — A process is in place to address inquiries, complaints, and disputes. • Documents and Communicates Dispute Resolution and Recourse — Each complaint is addressed and the resolution is documented and communicated to the individual. • Documents and Reports Compliance Review Results — Compliance with objectives related to privacy are reviewed and documented and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. • Documents and Reports Instances of Noncompliance — Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, corrective and disciplinary measures are taken on a timely basis. • Performs Ongoing Monitoring — Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary.	5

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA	BuiltIn
SOC 2 Type 2	4054785f-702b-4a98-9215-009cbd58b141	Regulatory Compliance	GA	BuiltIn

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-27 16:35:32	change	Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29	add	34738025-5925-51f9-1081-f2d0060133ed

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC