last sync: 2023-Jan-27 18:40:07 UTC

Azure Policy definition

Information security and personal data protection

Name Information security and personal data protection
Azure Portal
Id 34738025-5925-51f9-1081-f2d0060133ed
Version 1.1.0
details on versioning
Category Regulatory Compliance
Microsoft docs
Description CMA_0332 - Information security and personal data protection
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default
Manual
Allowed
Manual, Disabled
RBAC
Role(s)
none
Rule
Aliases
Rule
ResourceTypes
IF (1)
Microsoft.Resources/subscriptions
Compliance The following 6 compliance controls are associated with this Policy definition 'Information security and personal data protection' (34738025-5925-51f9-1081-f2d0060133ed)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 1787.10a2Organizational.1-10.a hipaa-1787.10a2Organizational.1-10.a 1787.10a2Organizational.1-10.a 17 Risk Management 1787.10a2Organizational.1-10.a 10.01 Security Requirements of Information Systems Shared n/a Information security and privacy are addressed in all phases of the project management methodology. 5
hipaa 19134.05j1Organizational.5-05.j hipaa-19134.05j1Organizational.5-05.j 19134.05j1Organizational.5-05.j 19 Data Protection & Privacy 19134.05j1Organizational.5-05.j 05.02 External Parties Shared n/a The public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official. 12
hipaa 19243.06d1Organizational.15-06.d hipaa-19243.06d1Organizational.15-06.d 19243.06d1Organizational.15-06.d 19 Data Protection & Privacy 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization specifies where covered information can be stored. 9
SOC_2 P6.5 SOC_2_P6.5 SOC 2 Type 2 P6.5 Additional Criteria For Privacy Third party unauthorized disclosure notification Shared The customer is responsible for implementing this recommendation. • Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. • Reports Actual or Suspected Unauthorized Disclosures — A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information. 12
SOC_2 P6.6 SOC_2_P6.6 SOC 2 Type 2 P6.6 Additional Criteria For Privacy Privacy incident notification Shared The customer is responsible for implementing this recommendation. • Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. • Provides Notice of Breaches and Incidents — The entity has a process for providing notice of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy. 2
SOC_2 P8.1 SOC_2_P8.1 SOC 2 Type 2 P8.1 Additional Criteria For Privacy Privacy complaint management and compliance management Shared The customer is responsible for implementing this recommendation. • Communicates to Data Subjects — Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes. • Addresses Inquiries, Complaints, and Disputes — A process is in place to address inquiries, complaints, and disputes. • Documents and Communicates Dispute Resolution and Recourse — Each complaint is addressed and the resolution is documented and communicated to the individual. • Documents and Reports Compliance Review Results — Compliance with objectives related to privacy are reviewed and documented and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. • Documents and Reports Instances of Noncompliance — Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, corrective and disciplinary measures are taken on a timely basis. • Performs Ongoing Monitoring — Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary. 5
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 34738025-5925-51f9-1081-f2d0060133ed
Initiatives
usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
JSON
changes

JSON