last sync: 2024-Oct-03 17:51:34 UTC

Define the duties of processors | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Define the duties of processors
Id 52375c01-4d4c-7acc-3aa4-5b3d53a047ec
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0127 - Define the duties of processors
Additional metadata Name/Id: CMA_0127 / CMA_0127
Category: Documentation
Title: Define the duties of processors
Ownership: Customer
Description: Microsoft recommends that your organization define and document the following duties of processors in written and electronic agreements: - To process the collection, use and disclosure of the personal data only on instructions from the controller, unless such instruction is inconsistent with law or provisions relating to personal data protection - To provide appropriate security measures to prevent loss, access, use, modification, correction, or disclosure of personal data in an unauthorized or unlawful manner - To report data breaches - To make and store a record of processing activities - To assist data controller for any required action, such as responding to a data subject request - To delete information provided by the controller once the agreement with the controller ends - To handle and address complaints from authorized individuals or legal authorities, at the controller's direction, and notify the controller through writing or orally - To keep proof of the authorization for the processing - To demonstrate the privacy management programs, if requested - To not engage other processors without written authorization from the controller - Impose the same data protection obligations as set out in contracts or legal acts if engaging another processor for carrying out specific processing activities approved by the controller - To remove information from information systems if knowledge is accidentally gained on facts or circumstances from an electronic record that could lead to civil or criminal liabilities - To adhere to an approved code of conduct or certification mechanism to demonstrate compliance with organizational requirements - To comply with relevant laws of the country in cases where the data processor is not domiciled in the country where the data is processed - To update the information provided to the controller, according to a defined time period. If a processor infringes on the collection, use, or disclosure of personal data, the processor may be considered to be a controller in respect of the collection, use, or disclosure of such personal data. The controller is also recommended to require the processor to remediate any infringements and to discontinue business with the processor after an infringement, if necessary. Processors can initiate legal proceedings against controllers if data required to enforce data subject rights is not received from the controller.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 9 compliance controls are associated with this Policy definition 'Define the duties of processors' (52375c01-4d4c-7acc-3aa4-5b3d53a047ec)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 1713.03c1Organizational.3-03.c hipaa-1713.03c1Organizational.3-03.c 1713.03c1Organizational.3-03.c 17 Risk Management 1713.03c1Organizational.3-03.c 03.01 Risk Management Program Shared n/a The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. 9
hipaa 1902.06d1Organizational.2-06.d hipaa-1902.06d1Organizational.2-06.d 1902.06d1Organizational.2-06.d 19 Data Protection & Privacy 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements Shared n/a When required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization. 11
ISO27001-2013 A.12.4.2 ISO27001-2013_A.12.4.2 ISO 27001:2013 A.12.4.2 Operations Security Protection of log information Shared n/a Logging facilities and log information shall be protected against tampering and unauthorized access. link 8
PCI_DSS_v4.0 12.8.2 PCI_DSS_v4.0_12.8.2 PCI DSS v4.0 12.8.2 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a Written agreements with TPSPs are maintained as follows: • Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. • Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE. link 15
PCI_DSS_v4.0 12.9.1 PCI_DSS_v4.0_12.9.1 PCI DSS v4.0 12.9.1 Requirement 12: Support Information Security with Organizational Policies and Programs Third-party service providers (TPSPs) support their customers’ PCI DSS compliance Shared n/a TPSPs acknowledge in writing to customers that they are responsible for the security of account data the TPSP possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s CDE. link 3
SOC_2 CC2.3 SOC_2_CC2.3 SOC 2 Type 2 CC2.3 Communication and Information COSO Principle 15 Shared The customer is responsible for implementing this recommendation. Communicates to External Parties — Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. • Enables Inbound Communications — Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. • Communicates With the Board of Directors — Relevant information resulting from assessments conducted by external parties is communicated to the board of directors. • Provides Separate Communication Lines — Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. • Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. Additional point of focus that applies only to an engagement using the trust services criteria for confidentiality: • Communicates Objectives Related to Confidentiality and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality.Page 20 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS Additional point of focus that applies only to an engagement using the trust services criteria for privacy: • Communicates Objectives Related to Privacy and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: • Communicates Information About System Operation and Boundaries — The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. • Communicates System Objectives — The entity communicates its system objectives to appropriate external users. • Communicates System Responsibilities — External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities. • Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters — External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel. 14
SOC_2 CC9.2 SOC_2_CC9.2 SOC 2 Type 2 CC9.2 Risk Mitigation Vendors and business partners risk management Shared The customer is responsible for implementing this recommendation. Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. • Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives. • Assigns Responsibility and Accountability for Managing Vendors and Business Partners — The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. • Establishes Communication Protocols for Vendors and Business Partners — The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners. • Establishes Exception Handling Procedures From Vendors and Business Partners — The entity establishes exception handling procedures for service or product issues related to vendors and business partners. • Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners. • Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships. • Implements Procedures for Terminating Vendor and Business Partner Relationships — The entity implements procedures for terminating vendor and business partner relationships. Additional points of focus that apply only to an engagement using the trust services criteria for confidentiality: • Obtains Confidentiality Commitments from Vendors and Business Partners — The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information. • Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements. Additional points of focus that apply only to an engagement using the trust services criteria for privacy: • Obtains Privacy Commitments from Vendors and Business Partners — The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information. • Assesses Compliance with Privacy Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary 20
SOC_2 P6.1 SOC_2_P6.1 SOC 2 Type 2 P6.1 Additional Criteria For Privacy Personal information third party disclosure Shared The customer is responsible for implementing this recommendation. • Communicates Privacy Policies to Third Parties — Privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed. • Discloses Personal Information Only When Appropriate — Personal information is disclosed to third parties only for the purposes for which it was collected or created and only when implicit or explicit consent has been obtained from the data subject, unless a law or regulation specifically requires otherwise. • Discloses Personal Information Only to Appropriate Third Parties — Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements. • Discloses Information to Third Parties for New Purposes and Uses — Personal information is disclosed to third parties for new purposes or uses only with the prior implicit or explicit consent of data subjects. 15
SOC_2 P6.4 SOC_2_P6.4 SOC 2 Type 2 P6.4 Additional Criteria For Privacy Third party agreements Shared The customer is responsible for implementing this recommendation. • Discloses Personal Information Only to Appropriate Third Parties — Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements. • Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. 1
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 52375c01-4d4c-7acc-3aa4-5b3d53a047ec
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC