last sync: 2024-Jun-24 18:15:26 UTC

Perform disposition review | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Perform disposition review
Id b5a4be05-3997-1731-3260-98be653610f6
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0391 - Perform disposition review
Additional metadata Name/Id: CMA_0391 / CMA_0391
Category: Operational
Title: Perform disposition review
Ownership: Customer
Description: Microsoft recommends that your organization review content at the end of its retention period to decide whether it can be safely deleted ("disposed"). For example, your organization might need to: - Suspend the deletion ("disposition") of relevant content in the event of litigation or an audit - Remove content from the disposition list to store in an archive, if that content has research or historical value - Assign a different retention period to the content, if the original policy was a temporary or provisional solution - Return the content to clients or transfer it to another organization. It is also recommended that your organization and suppliers maintain and provide the evidence that demonstrate that all forms of data/records/information (both electronic and physical) have been removed or deleted, destroyed or rendered unusable according to policy. Guidelines and Functional Requirements for Electronic Records Management Systems requires the electronic records management system of an organization to provide functionality to allow the administrator to delete aggregations/volumes/records and alert the administrator if an electronic aggregation that is due for destruction is referred to in a link from another aggregation and pause the destruction process to allow the appropriate remedial action to be taken. While executing disposition, the electronic system must produce an exception report for the administrator, ensure deletion of the entire contents of an aggregation or volume when commanded, prompt the administrator to enter a reason for the action and alert the administrators to any conflicts. The Guidelines also require the electronic records management system to support the review process and allow the reviewer to take an action and mark the aggregation for destruction, transfer, indefinite hold (pending litigation) and change the disposal authority (or assign a different schedule) so that the aggregation is retained and re-reviewed at a later date along with producing a disposal authority report and specifying the frequency of the report, the information reported and highlight exceptions such as overdue disposal. **Learn More** https://azure.microsoft.com/pricing/license-mobility/
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 24 compliance controls are associated with this Policy definition 'Perform disposition review' (b5a4be05-3997-1731-3260-98be653610f6)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 0670.10hCSPSystem.2-10.h hipaa-0670.10hCSPSystem.2-10.h 0670.10hCSPSystem.2-10.h 06 Configuration Management 0670.10hCSPSystem.2-10.h 10.04 Security of System Files Shared n/a Structured and unstructured data is available to the organization (customer) and provided to them upon request in an industry-standard format (e.g., .docx, .xlsx, pdf, logs, and flat files). 3
hipaa 1211.09aa3System.4-09.aa hipaa-1211.09aa3System.4-09.aa 1211.09aa3System.4-09.aa 12 Audit Logging & Monitoring 1211.09aa3System.4-09.aa 09.10 Monitoring Shared n/a The organization verifies every 90 days for each extract of covered information recorded that the data is erased or its use is still required. 9
hipaa 1713.03c1Organizational.3-03.c hipaa-1713.03c1Organizational.3-03.c 1713.03c1Organizational.3-03.c 17 Risk Management 1713.03c1Organizational.3-03.c 03.01 Risk Management Program Shared n/a The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. 9
hipaa 1826.09p1Organizational.1-09.p hipaa-1826.09p1Organizational.1-09.p 1826.09p1Organizational.1-09.p 18 Physical & Environmental Security 1826.09p1Organizational.1-09.p 09.07 Media Handling Shared n/a The organization securely disposes of media containing sensitive information. 3
hipaa 1904.06.d2Organizational.1-06.d hipaa-1904.06.d2Organizational.1-06.d 1904.06.d2Organizational.1-06.d 19 Data Protection & Privacy 1904.06.d2Organizational.1-06.d 06.01 Compliance with Legal Requirements Shared n/a Covered information is retained only for as long as required. 3
hipaa 19142.06c1Organizational.8-06.c hipaa-19142.06c1Organizational.8-06.c 19142.06c1Organizational.8-06.c 19 Data Protection & Privacy 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements Shared n/a Guidelines are issued by the organization on the ownership, classification, retention, storage, handling and disposal of all records and information. 9
hipaa 19144.06c2Organizational.1-06.c hipaa-19144.06c2Organizational.1-06.c 19144.06c2Organizational.1-06.c 19 Data Protection & Privacy 19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements Shared n/a The organization has established a formal records document retention program. 7
hipaa 19145.06c2Organizational.2-06.c hipaa-19145.06c2Organizational.2-06.c 19145.06c2Organizational.2-06.c 19 Data Protection & Privacy 19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements Shared n/a Specific controls for record storage, access, retention, and destruction have been implemented. 8
ISO27001-2013 A.11.2.7 ISO27001-2013_A.11.2.7 ISO 27001:2013 A.11.2.7 Physical And Environmental Security Secure disposal or re-use of equipment Shared n/a All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. link 5
ISO27001-2013 A.12.3.1 ISO27001-2013_A.12.3.1 ISO 27001:2013 A.12.3.1 Operations Security Information backup Shared n/a Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. link 13
ISO27001-2013 A.12.4.2 ISO27001-2013_A.12.4.2 ISO 27001:2013 A.12.4.2 Operations Security Protection of log information Shared n/a Logging facilities and log information shall be protected against tampering and unauthorized access. link 8
ISO27001-2013 A.14.3.1 ISO27001-2013_A.14.3.1 ISO 27001:2013 A.14.3.1 System Acquisition, Development And Maintenance Protection of test data Shared n/a Test data shall be selected carefully, protected and controlled. link 11
mp.info.6 Backups mp.info.6 Backups 404 not found n/a n/a 65
mp.si.2 Cryptography mp.si.2 Cryptography 404 not found n/a n/a 32
mp.si.5 Erasure and destruction mp.si.5 Erasure and destruction 404 not found n/a n/a 9
mp.sw.1 IT Aplications development mp.sw.1 IT Aplications development 404 not found n/a n/a 51
mp.sw.2 Acceptance and commissioning mp.sw.2 Acceptance and commissioning 404 not found n/a n/a 60
PCI_DSS_v4.0 3.2.1 PCI_DSS_v4.0_3.2.1 PCI DSS v4.0 3.2.1 Requirement 03: Protect Stored Account Data Storage of account data is kept to a minimum Shared n/a Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: • Coverage for all locations of stored account data. • Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. • Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy. • A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. link 8
PCI_DSS_v4.0 3.3.1 PCI_DSS_v4.0_3.3.1 PCI DSS v4.0 3.3.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.1 PCI_DSS_v4.0_3.3.1.1 PCI DSS v4.0 3.3.1.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The full contents of any track are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.3 PCI_DSS_v4.0_3.3.1.3 PCI DSS v4.0 3.3.1.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 9.4.6 PCI_DSS_v4.0_9.4.6 PCI DSS v4.0 9.4.6 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows: • Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed. • Materials are stored in secure storage containers prior to destruction. link 4
PCI_DSS_v4.0 9.4.7 PCI_DSS_v4.0_9.4.7 PCI DSS v4.0 9.4.7 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons via one of the following: • The electronic media is destroyed. • The cardholder data is rendered unrecoverable so that it cannot be reconstructed. link 4
SOC_2 P4.3 SOC_2_P4.3 SOC 2 Type 2 P4.3 Additional Criteria For Privacy Personal information disposal Shared The customer is responsible for implementing this recommendation. • Captures, Identifies, and Flags Requests for Deletion — Requests for deletion of personal information are captured and information related to the requests is identified and flagged for destruction to meet the entity’s objectives related to privacy. • Disposes of, Destroys, and Redacts Personal Information — Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access. • Destroys Personal Information — Policies and procedures are implemented to erase or otherwise destroy personal information that has been identified for destruction. 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add b5a4be05-3997-1731-3260-98be653610f6
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC