AzPolicyAdvertizer

last sync: 2024-Jul-26 18:17:39 UTC

Maintain records of processing of personal data | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Maintain records of processing of personal data
Id 92ede480-154e-0e22-4dca-8b46a74a3a51
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0353 - Maintain records of processing of personal data
Additional metadata Name/Id: CMA_0353 / CMA_0353
Category: Operational
Title: Maintain records of processing of personal data
Ownership: Customer
Description: Microsoft recommends that your organization maintain all necessary and required records related to the processing of personal data. At a minimum, it is recommended that these records include your organization's identity and contact details, the purpose(s) of processing, the nature of the personal data processed, any recipients of the data, details of any international transfers of the personal data that might occur, the period of storage or use of the personal data, and a description of security measures implemented by your organization to protect the personal data by preventing unauthorized access, improper processing, and other forms of misuse. The records may be in paper or electronic form. If your organization converts the information from paper to electronic or vice versa for processing purpose, it is recommended to log and track the information from creation to destruction. The Belgium's Act on the Protection of Natural Persons regarding the Processing of Personal Data requires controllers and processor to maintain a register with all the categories of processing operations carried out and the contact details of controller and, where appropriate, of the joint controllers (at least one contact point for the data subjects), and of the data protection officer. The register shall be made available to the competent supervisory authority, at its request. The act also requires controllers to add justification of the stored archives, the reasons for the refusal of the data subject requests and data protection impact assessment if the controller processes sensitive data to the record of processing activities. In case of concluding an agreement between the controller who collected the personal data directly from the data subject to the controllers who further processes it, the said agreement or notification concerning the data collection shall be appended to the record of processing activities. The Canada Personal Health Information Act (PHIPA) states that prescribed organizations must keep an electronic record of all instances in which personal health information kept by the organization and is accessible by an electronic health record is viewed, handled, or transmitted. This record should include who the information relates to, who performed the action, and when the action occurred. Under the Canada PHIPA, the prescribed organization is also recommended to keep a record of consent directives and of disclosures of personal health information. These electronic health records should be audited and monitored, as well as provided to the Commissioner or health information custodian upon request.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 28 compliance controls are associated with this Policy definition 'Maintain records of processing of personal data' (92ede480-154e-0e22-4dca-8b46a74a3a51)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 CM-8 FedRAMP_High_R4_CM-8 FedRAMP High CM-8 Configuration Management Information System Component Inventory Shared n/a The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. Supplemental Guidance: Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. References: NIST Special Publication 800-128. link 2
FedRAMP_High_R4 CM-8(1) FedRAMP_High_R4_CM-8(1) FedRAMP High CM-8 (1) Configuration Management Updates During Installations / Removals Shared n/a The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. link 2
FedRAMP_Moderate_R4 CM-8 FedRAMP_Moderate_R4_CM-8 FedRAMP Moderate CM-8 Configuration Management Information System Component Inventory Shared n/a The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. Supplemental Guidance: Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. References: NIST Special Publication 800-128. link 2
FedRAMP_Moderate_R4 CM-8(1) FedRAMP_Moderate_R4_CM-8(1) FedRAMP Moderate CM-8 (1) Configuration Management Updates During Installations / Removals Shared n/a The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. link 2
hipaa 0703.07a2Organizational.1-07.a hipaa-0703.07a2Organizational.1-07.a 0703.07a2Organizational.1-07.a 07 Vulnerability Management 0703.07a2Organizational.1-07.a 07.01 Responsibility for Assets Shared n/a The inventory of all authorized assets includes the owner of the information asset, custodianship, categorizes the information asset according to criticality and information classification, and identifies protection and sustainment requirements commensurate with the asset's categorization. 3
hipaa 0704.07a3Organizational.12-07.a hipaa-0704.07a3Organizational.12-07.a 0704.07a3Organizational.12-07.a 07 Vulnerability Management 0704.07a3Organizational.12-07.a 07.01 Responsibility for Assets Shared n/a Organizational inventories of IT assets are updated during installations, removals, and system changes, with full physical inventories performed for capital assets (at least annually) and for non-capital assets. 3
hipaa 0720.07a1Organizational.4-07.a hipaa-0720.07a1Organizational.4-07.a 0720.07a1Organizational.4-07.a 07 Vulnerability Management 0720.07a1Organizational.4-07.a 07.01 Responsibility for Assets Shared n/a The organization's asset inventory does not duplicate other inventories unnecessarily and ensures their respective content is aligned. 2
hipaa 0725.07a3Organizational.5-07.a hipaa-0725.07a3Organizational.5-07.a 0725.07a3Organizational.5-07.a 07 Vulnerability Management 0725.07a3Organizational.5-07.a 07.01 Responsibility for Assets Shared n/a The organization provides an updated inventory, identifying assets with covered information (e.g., PII) to the CIO or information security official, and the senior privacy official on an organization-defined basis, but no less than annually. 3
hipaa 1504.06e1Organizational.34-06.e hipaa-1504.06e1Organizational.34-06.e 1504.06e1Organizational.34-06.e 15 Incident Management 1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements Shared n/a Management approves the use of information assets and takes appropriate action when unauthorized activity occurs. 16
hipaa 1621.09l2Organizational.1-09.l hipaa-1621.09l2Organizational.1-09.l 1621.09l2Organizational.1-09.l 16 Business Continuity & Disaster Recovery 1621.09l2Organizational.1-09.l 09.05 Information Back-Up Shared n/a Automated tools are used to track all backups. 3
hipaa 19245.06d2Organizational.2-06.d hipaa-19245.06d2Organizational.2-06.d 19245.06d2Organizational.2-06.d 19 Data Protection & Privacy 19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization has implemented technical means to ensure covered information is stored in organization-specified locations. 7
ISO27001-2013 A.8.1.1 ISO27001-2013_A.8.1.1 ISO 27001:2013 A.8.1.1 Asset Management Inventory of assets Shared n/a Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. link 2
ISO27001-2013 A.8.1.2 ISO27001-2013_A.8.1.2 ISO 27001:2013 A.8.1.2 Asset Management Ownership of assets Shared n/a Assets maintained in the inventory shall be owned. link 7
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
mp.info.2 Rating of information mp.info.2 Rating of information 404 not found n/a n/a 45
mp.si.3 Custody mp.si.3 Custody 404 not found n/a n/a 27
NIST_SP_800-171_R2_3 .4.1 NIST_SP_800-171_R2_3.4.1 NIST SP 800-171 R2 3.4.1 Configuration Management Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Shared Microsoft and the customer share responsibilities for implementing this requirement. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management. link 31
NIST_SP_800-53_R4 CM-8 NIST_SP_800-53_R4_CM-8 NIST SP 800-53 Rev. 4 CM-8 Configuration Management Information System Component Inventory Shared n/a The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. Supplemental Guidance: Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. References: NIST Special Publication 800-128. link 2
NIST_SP_800-53_R4 CM-8(1) NIST_SP_800-53_R4_CM-8(1) NIST SP 800-53 Rev. 4 CM-8 (1) Configuration Management Updates During Installations / Removals Shared n/a The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. link 2
NIST_SP_800-53_R5 CM-8 NIST_SP_800-53_R5_CM-8 NIST SP 800-53 Rev. 5 CM-8 Configuration Management System Component Inventory Shared n/a a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and b. Review and update the system component inventory [Assignment: organization-defined frequency]. link 2
NIST_SP_800-53_R5 CM-8(1) NIST_SP_800-53_R5_CM-8(1) NIST SP 800-53 Rev. 5 CM-8 (1) Configuration Management Updates During Installation and Removal Shared n/a Update the inventory of system components as part of component installations, removals, and system updates. link 2
op.exp.1 Asset inventory op.exp.1 Asset inventory 404 not found n/a n/a 40
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
PCI_DSS_v4.0 1.2.4 PCI_DSS_v4.0_1.2.4 PCI DSS v4.0 1.2.4 Requirement 01: Install and Maintain Network Security Controls Network security controls (NSCs) are configured and maintained Shared n/a An accurate data-flow diagram(s) is maintained that meets the following: • Shows all account data flows across systems and networks. • Updated as needed upon changes to the environment. link 1
PCI_DSS_v4.0 12.5.2 PCI_DSS_v4.0_12.5.2 PCI DSS v4.0 12.5.2 Requirement 12: Support Information Security with Organizational Policies and Programs PCI DSS scope is documented and validated Shared n/a PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes: • Identifying all data flows for the various payment stages (for example, authorization, capture settlement, chargebacks, and refunds) and acceptance channels (for example, card-present, card-not-present, and e-commerce). • Updating all data-flow diagrams per Requirement 1.2.4. • Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups. • Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE. • Identifying all segmentation controls in use and the environment(s) from which the CDE is segmented, including justification for environments being out of scope. • Identifying all connections from third-party entities with access to the CDE. • Confirming that all identified data flows, account data, system components, segmentation controls, and connections from third parties with access to the CDE are included in scope. link 1
PCI_DSS_v4.0 12.5.2.1 PCI_DSS_v4.0_12.5.2.1 PCI DSS v4.0 12.5.2.1 Requirement 12: Support Information Security with Organizational Policies and Programs PCI DSS scope is documented and validated Shared n/a PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes all the elements specified in Requirement 12.5.2. link 2
PCI_DSS_v4.0 9.4.5.1 PCI_DSS_v4.0_9.4.5.1 PCI DSS v4.0 9.4.5.1 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Inventories of electronic media with cardholder data are conducted at least once every 12 months. link 2
SOC_2 CC6.1 SOC_2_CC6.1 SOC 2 Type 2 CC6.1 Logical and Physical Access Controls Logical access security software, infrastructure, and architectures Shared The customer is responsible for implementing this recommendation. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: • Identifies and Manages the Inventory of Information Assets — The entity identifies, Page 29 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS inventories, classifies, and manages information assets. • Restricts Logical Access — Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. • Identifies and Authenticates Users — Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. • Considers Network Segmentation — Network segmentation permits unrelated portions of the entity's information system to be isolated from each other. • Manages Points of Access — Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. • Restricts Access to Information Assets — Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. • Manages Identification and Authentication — Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. • Manages Credentials for Infrastructure and Software — New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. • Uses Encryption to Protect Data — The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. • Protects Encryption Keys — Processes are in place to protect encryption keys during generation, storage, use, and destruction 79
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 92ede480-154e-0e22-4dca-8b46a74a3a51
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC