last sync: 2023-Dec-05 19:46:27 UTC

Azure Policy definition

Evaluate and review PII holdings regularly | Regulatory Compliance - Operational

Source Azure Portal
Display name Evaluate and review PII holdings regularly
Id b6b32f80-a133-7600-301e-398d688e7e0c
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1832 - Evaluate and review PII holdings regularly
Additional metadata Name/Id: CMA_C1832 / CMA_C1832
Category: Operational
Title: Evaluate and review PII holdings regularly
Ownership: Customer
Description: The customer is responsible for conducting an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
The following 7 compliance controls are associated with this Policy definition 'Evaluate and review PII holdings regularly' (b6b32f80-a133-7600-301e-398d688e7e0c)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 1713.03c1Organizational.3-03.c hipaa-1713.03c1Organizational.3-03.c 1713.03c1Organizational.3-03.c 17 Risk Management 1713.03c1Organizational.3-03.c 03.01 Risk Management Program Shared n/a The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. 9
hipaa 1911.06d1Organizational.13-06.d hipaa-1911.06d1Organizational.13-06.d 1911.06d1Organizational.13-06.d 19 Data Protection & Privacy 1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements Shared n/a Records with sensitive personal information are protected during transfer to organizations lawfully collecting such information. 5
hipaa 19242.06d1Organizational.14-06.d hipaa-19242.06d1Organizational.14-06.d 19242.06d1Organizational.14-06.d 19 Data Protection & Privacy 19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements Shared n/a Covered information storage is kept to a minimum. 4
hipaa 19243.06d1Organizational.15-06.d hipaa-19243.06d1Organizational.15-06.d 19243.06d1Organizational.15-06.d 19 Data Protection & Privacy 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization specifies where covered information can be stored. 9
hipaa 19245.06d2Organizational.2-06.d hipaa-19245.06d2Organizational.2-06.d 19245.06d2Organizational.2-06.d 19 Data Protection & Privacy 19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization has implemented technical means to ensure covered information is stored in organization-specified locations. 7
SOC_2 P3.1 SOC_2_P3.1 SOC 2 Type 2 P3.1 Additional Criteria For Privacy Consistent personal information collection Shared The customer is responsible for implementing this recommendation. • Limits the Collection of Personal Information — The collection of personal information is limited to that necessary to meet the entity’s objectives. • Collects Information by Fair and Lawful Means — Methods of collecting personal information are reviewed by management before they are implemented to confirm that personal information is obtained (a) fairly, without intimidation or deception, and (b) lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information. • Collects Information From Reliable Sources — Management confirms that third parties from whom personal information is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully. • Informs Data Subjects When Additional Information Is Acquired — Data subjects are informed if the entity develops or acquires additional information about them for its use. 4
SOC_2 P8.1 SOC_2_P8.1 SOC 2 Type 2 P8.1 Additional Criteria For Privacy Privacy complaint management and compliance management Shared The customer is responsible for implementing this recommendation. • Communicates to Data Subjects — Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes. • Addresses Inquiries, Complaints, and Disputes — A process is in place to address inquiries, complaints, and disputes. • Documents and Communicates Dispute Resolution and Recourse — Each complaint is addressed and the resolution is documented and communicated to the individual. • Documents and Reports Compliance Review Results — Compliance with objectives related to privacy are reviewed and documented and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. • Documents and Reports Instances of Noncompliance — Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, corrective and disciplinary measures are taken on a timely basis. • Performs Ongoing Monitoring — Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary. 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add b6b32f80-a133-7600-301e-398d688e7e0c
JSON compare
compare mode: version left: version right: