AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

Record disclosures of PII to third parties | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Record disclosures of PII to third parties
Id 8b1da407-5e60-5037-612e-2caa1b590719
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0422 - Record disclosures of PII to third parties
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Additional metadata Name/Id: CMA_0422 / CMA_0422
Category: Operational
Title: Record disclosures of PII to third parties
Ownership: Customer
Description: Microsoft recommends that your organization record any disclosures of Personally Identifiable Information (PII) to third parties including what PII has been disclosed, to whom, and when. It is recommended that external disclosures of PII have a legal basis and/or are authorized by the individual. Your organization should consider creating and maintaining information security policies and standard operating procedures which include processes for recording all disclosures. The Canada Personal Health Information Protection Act (PHIPA) permits the disclosure of personal health information under certain situations, such as to protect consumers from harm or for analyzing statistical information in relation to the planning and management of the health system. The National Association of Insurance Commissioners recommends your organization not disclose any personal or financial information to a nonaffiliated third party other than for the required purposes. A nonaffiliated third-party can perform services for your organization if it's solely related to your organization's product or service marketing. Microsoft recommends that your organization notify the patient and/or patient's representative if a patient's personal information is disclosed. The Center for Healthcare Planning and Quality should also be notified. The United States of America Privacy Act of 1974 requires organizations to retain disclosure records for at least five years or the record's life, whichever is longer, after initial disclosure. The U.S. Family Educational Rights and Privacy Act (FERPA) requires the following: - Obtaining signed and written consent from a parent or eligible student prior to disclosing information from the student's exception records, unless disclosing for authorized purposes - Maintaining a record of requests for access and of the authorities that may make further disclosures without consent - Notifying the eligible student or parent of disclosures of an education record pertaining to the student.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Compliance
The following 8 compliance controls are associated with this Policy definition 'Record disclosures of PII to third parties' (8b1da407-5e60-5037-612e-2caa1b590719)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 0209.09m3Organizational.7-09.m hipaa-0209.09m3Organizational.7-09.m 0209.09m3Organizational.7-09.m 02 Endpoint Protection 0209.09m3Organizational.7-09.m 09.06 Network Security Management Shared n/a File sharing is disabled on wireless-enabled devices. 6
hipaa 1713.03c1Organizational.3-03.c hipaa-1713.03c1Organizational.3-03.c 1713.03c1Organizational.3-03.c 17 Risk Management 1713.03c1Organizational.3-03.c 03.01 Risk Management Program Shared n/a The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. 9
hipaa 1902.06d1Organizational.2-06.d hipaa-1902.06d1Organizational.2-06.d 1902.06d1Organizational.2-06.d 19 Data Protection & Privacy 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements Shared n/a When required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization. 11
ISO27001-2013 A.12.4.2 ISO27001-2013_A.12.4.2 ISO 27001:2013 A.12.4.2 Operations Security Protection of log information Shared n/a Logging facilities and log information shall be protected against tampering and unauthorized access. link 8
PCI_DSS_v4.0 12.8.2 PCI_DSS_v4.0_12.8.2 PCI DSS v4.0 12.8.2 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a Written agreements with TPSPs are maintained as follows: • Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. • Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE. link 15
PCI_DSS_v4.0 12.9.1 PCI_DSS_v4.0_12.9.1 PCI DSS v4.0 12.9.1 Requirement 12: Support Information Security with Organizational Policies and Programs Third-party service providers (TPSPs) support their customers’ PCI DSS compliance Shared n/a TPSPs acknowledge in writing to customers that they are responsible for the security of account data the TPSP possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s CDE. link 3
SOC_2 CC9.2 SOC_2_CC9.2 SOC 2 Type 2 CC9.2 Risk Mitigation Vendors and business partners risk management Shared The customer is responsible for implementing this recommendation. Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. • Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives. • Assigns Responsibility and Accountability for Managing Vendors and Business Partners — The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. • Establishes Communication Protocols for Vendors and Business Partners — The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners. • Establishes Exception Handling Procedures From Vendors and Business Partners — The entity establishes exception handling procedures for service or product issues related to vendors and business partners. • Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners. • Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships. • Implements Procedures for Terminating Vendor and Business Partner Relationships — The entity implements procedures for terminating vendor and business partner relationships. Additional points of focus that apply only to an engagement using the trust services criteria for confidentiality: • Obtains Confidentiality Commitments from Vendors and Business Partners — The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information. • Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements. Additional points of focus that apply only to an engagement using the trust services criteria for privacy: • Obtains Privacy Commitments from Vendors and Business Partners — The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information. • Assesses Compliance with Privacy Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary 20
SOC_2 P6.1 SOC_2_P6.1 SOC 2 Type 2 P6.1 Additional Criteria For Privacy Personal information third party disclosure Shared The customer is responsible for implementing this recommendation. • Communicates Privacy Policies to Third Parties — Privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed. • Discloses Personal Information Only When Appropriate — Personal information is disclosed to third parties only for the purposes for which it was collected or created and only when implicit or explicit consent has been obtained from the data subject, unless a law or regulation specifically requires otherwise. • Discloses Personal Information Only to Appropriate Third Parties — Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements. • Discloses Information to Third Parties for New Purposes and Uses — Personal information is disclosed to third parties for new purposes or uses only with the prior implicit or explicit consent of data subjects. 15
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn true
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn true
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn true
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 8b1da407-5e60-5037-612e-2caa1b590719
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC