compliance controls are associated with this Policy definition 'Storage account encryption scopes should use double encryption for data at rest' (bfecdea6-31c4-4045-ad42-71b9dc87247d)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CMMC_L2_v1.9.0 |
MP.L2_3.8.6 |
CMMC_L2_v1.9.0_MP.L2_3.8.6 |
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 MP.L2 3.8.6 |
Media Protection |
Portable Storage Encryption |
Shared |
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. |
To ensure that sensitive information remains secure and confidential even if the media is lost, stolen, or intercepted during transit. |
|
9 |
| CSA_v4.0.12 |
CEK_03 |
CSA_v4.0.12_CEK_03 |
CSA Cloud Controls Matrix v4.0.12 CEK 03 |
Cryptography, Encryption & Key Management |
Data Encryption |
Shared |
n/a |
Provide cryptographic protection to data at-rest and in-transit,
using cryptographic libraries certified to approved standards. |
|
54 |
| CSA_v4.0.12 |
DSP_07 |
CSA_v4.0.12_DSP_07 |
CSA Cloud Controls Matrix v4.0.12 DSP 07 |
Data Security and Privacy Lifecycle Management |
Data Protection by Design and Default |
Shared |
n/a |
Develop systems, products, and business practices based upon a principle
of security by design and industry best practices. |
|
16 |
| CSA_v4.0.12 |
DSP_17 |
CSA_v4.0.12_DSP_17 |
CSA Cloud Controls Matrix v4.0.12 DSP 17 |
Data Security and Privacy Lifecycle Management |
Sensitive Data Protection |
Shared |
n/a |
Define and implement, processes, procedures and technical measures
to protect sensitive data throughout it's lifecycle. |
|
15 |
| CSA_v4.0.12 |
UEM_08 |
CSA_v4.0.12_UEM_08 |
CSA Cloud Controls Matrix v4.0.12 UEM 08 |
Universal Endpoint Management |
Storage Encryption |
Shared |
n/a |
Protect information from unauthorized disclosure on managed endpoint
devices with storage encryption. |
|
14 |
| DORA_2022_2554 |
9.3b |
DORA_2022_2554_9.3b |
DORA 2022 2554 9.3b |
9 |
Minimize Risks of Data Corruption and Loss in ICT Processes |
Shared |
n/a |
Implement information and communication technology (ICT) processes that minimize the risk of data corruption or loss, unauthorized access, and technical flaws that may disrupt business activities. |
|
35 |
| DORA_2022_2554 |
9.3c |
DORA_2022_2554_9.3c |
DORA 2022 2554 9.3c |
9 |
Prevent Data Availability and Integrity Issues in ICT Systems |
Shared |
n/a |
Implement measures in information and communication technology (ICT) to prevent issues related to data availability, authenticity, integrity, confidentiality breaches, and data loss. |
|
58 |
| EU_2555_(NIS2)_2022 |
EU_2555_(NIS2)_2022_21 |
EU_2555_(NIS2)_2022_21 |
EU 2022/2555 (NIS2) 2022 21 |
|
Cybersecurity risk-management measures |
Shared |
n/a |
Requires essential and important entities to take appropriate measures to manage cybersecurity risks. |
|
189 |
| EU_GDPR_2016_679_Art. |
24 |
EU_GDPR_2016_679_Art._24 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 |
Chapter 4 - Controller and processor |
Responsibility of the controller |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
25 |
EU_GDPR_2016_679_Art._25 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 |
Chapter 4 - Controller and processor |
Data protection by design and by default |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
28 |
EU_GDPR_2016_679_Art._28 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 |
Chapter 4 - Controller and processor |
Processor |
Shared |
n/a |
n/a |
|
306 |
| EU_GDPR_2016_679_Art. |
32 |
EU_GDPR_2016_679_Art._32 |
EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 |
Chapter 4 - Controller and processor |
Security of processing |
Shared |
n/a |
n/a |
|
306 |
| FBI_Criminal_Justice_Information_Services_v5.9.5_5 |
.1 |
FBI_Criminal_Justice_Information_Services_v5.9.5_5.1 |
FBI Criminal Justice Information Services (CJIS) v5.9.5 5.1 |
Policy and Implementation - Systems And Communications Protection |
Systems And Communications Protection |
Shared |
In addition, applications, services, or information systems must have the capability to ensure system integrity through the detection and protection against unauthorized changes to software and information. |
Examples of systems and communications safeguards range from boundary and transmission protection to securing an agency's virtualized environment. |
|
110 |
| HITRUST_CSF_v11.3 |
06.c |
HITRUST_CSF_v11.3_06.c |
HITRUST CSF v11.3 06.c |
Compliance with Legal Requirements |
Prevent loss, destruction and falsification of important records in accordance with statutory, regulatory, contractual, and business requirements. |
Shared |
1. Guidelines are to be issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and information.
2. Accountings of disclosure as organizational records are to be documented and maintained for a pre-defined period. |
Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. |
|
26 |
| ISO_IEC_27001_2022 |
7.5.3 |
ISO_IEC_27001_2022_7.5.3 |
ISO IEC 27001 2022 7.5.3 |
Support |
Control of documented information |
Shared |
1. Documented information required by the information security management system and by this document shall be controlled to ensure:
a. it is available and suitable for use, where and when it is needed; and
b. it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
2. For the control of documented information, the organization shall address the following activities, as applicable:
a. distribution, access, retrieval and use;
b. storage and preservation, including the preservation of legibility;
c. control of changes (e.g. version control); and
d. retention and disposition. |
Specifies that the documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled |
|
32 |
| ISO_IEC_27017_2015 |
18.1.3 |
ISO_IEC_27017_2015_18.1.3 |
ISO IEC 27017 2015 18.1.3 |
Compliance |
Protection of Records |
Shared |
For Cloud Service Customer:
The cloud service customer should request information from the cloud service provider about the protection of records gathered and stored by the cloud service provider that are relevant to the use of cloud services by the cloud service
customer.
For Cloud Service Provider:
The cloud service provider should provide information to the cloud service customer about the protection of records that are gathered and stored by the cloud service provider relating to the use of cloud services by the cloud service customer. |
To ensure compliance with legal, statutory, regulatory and contractual requirements, as well as community or societal expectations related to the protection and availability of records. |
|
17 |
| K_ISMS_P_2018 |
2.10.1 |
K_ISMS_P_2018_2.10.1 |
K ISMS P 2018 2.10.1 |
2.10 |
Establish Procedures for Managing the Security of System Operations |
Shared |
n/a |
Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. |
|
408 |
| K_ISMS_P_2018 |
2.10.2 |
K_ISMS_P_2018_2.10.2 |
K ISMS P 2018 2.10.2 |
2.10 |
Establish Protective Measures for Administrator Privileges and Security Configurations |
Shared |
n/a |
Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. |
|
385 |
| K_ISMS_P_2018 |
2.10.4 |
K_ISMS_P_2018_2.10.4 |
K ISMS P 2018 2.10.4 |
2.10 |
Establish Protective Measures when Working with Electronic Transactions or Fintech Services |
Shared |
n/a |
Establish and implement protective measures such as authentication and encryption to prevent information leakage, data alteration, or fraud when working with electronic transactions and Fintech services. In the event connections to external systems are required, safety must be checked. |
|
43 |
| K_ISMS_P_2018 |
2.7.1b |
K_ISMS_P_2018_2.7.1b |
K ISMS P 2018 2.7.1b |
2.7 |
Ensure Data is Encrypted at Rest and In-Transit |
Shared |
n/a |
Ensure data is encrypted when storing and transmitting personal and important information. |
|
68 |
| K_ISMS_P_2018 |
2.9.3 |
K_ISMS_P_2018_2.9.3 |
K ISMS P 2018 2.9.3 |
2.9 |
Establish Backup Recovery Procedures for Information Systems and Ensure Timely Recovery |
Shared |
n/a |
Establish and implement backup recovery procedures for the information system such as backup targets, backup cycles, backup methods, storage places, storage periods, and vaulting. Ensure timely recovery of information systems following an incident. |
|
10 |
| K_ISMS_P_2018 |
3.4.3 |
K_ISMS_P_2018_3.4.3 |
K ISMS P 2018 3.4.3 |
3.4 |
Implement Measure to Protect the Personal Information of Dormant Users |
Shared |
n/a |
Implement measures to protect the personal information of dormant users including notification of relevant matters, or disposal of storage of personal information. |
|
31 |
| LGPD_2018_Art. |
16 |
LGPD_2018_Art._16 |
Brazilian General Data Protection Law (LGPD) 2018 Art. 16 |
Termination of Data Processing |
Art. 16. Personal data shall be deleted following the termination of their processing |
Shared |
n/a |
Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, but their storage is authorized for the following purposes: (1) compliance with a legal or regulatory obligation by the controller; (2) study by a research entity, ensuring, whenever possible, the anonymization of the personal data; (3) transfer to third parties, provided that the requirements for data processing as provided in this Law are obeyed; or (4) exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymized. |
|
18 |
| NIST_SP_800-171_R3_3 |
.13.8 |
NIST_SP_800-171_R3_3.13.8 |
NIST 800-171 R3 3.13.8 |
System and Communications Protection Control |
Transmission and Storage Confidentiality |
Shared |
This requirement applies to internal and external networks and any system components that can transmit CUI, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are susceptible to interception and modification. Encryption protects CUI from unauthorized disclosure during transmission and while in storage. Cryptographic mechanisms that protect the confidentiality of CUI during transmission include TLS and IPsec. Information in storage (i.e. information at rest) refers to the state of CUI when it is not in process or in transit and resides on internal or external storage devices, storage area network devices, and databases. Protecting CUI in storage does not focus on the type of storage device or the frequency of access to that device but rather on the state of the information. This requirement relates to 03.13.11. |
Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI during transmission and while in storage. |
|
12 |
| NIST_SP_800-53_R5.1.1 |
SC.28 |
NIST_SP_800-53_R5.1.1_SC.28 |
NIST SP 800-53 R5.1.1 SC.28 |
System and Communications Protection |
Protection of Information at Rest |
Shared |
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. |
Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage. |
|
17 |
| NIST_SP_800-53_R5.1.1 |
SC.28.1 |
NIST_SP_800-53_R5.1.1_SC.28.1 |
NIST SP 800-53 R5.1.1 SC.28.1 |
System and Communications Protection |
Protection of Information at Rest | Cryptographic Protection |
Shared |
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]. |
The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields. |
|
9 |
| NZISM_v3.7 |
14.3.10.C.01. |
NZISM_v3.7_14.3.10.C.01. |
NZISM v3.7 14.3.10.C.01. |
Web Applications |
14.3.10.C.01. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. |
Shared |
n/a |
Agencies SHOULD implement allow listing for all HTTP traffic being communicated through their gateways. |
|
24 |
| NZISM_v3.7 |
14.3.10.C.02. |
NZISM_v3.7_14.3.10.C.02. |
NZISM v3.7 14.3.10.C.02. |
Web Applications |
14.3.10.C.02. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. |
Shared |
n/a |
Agencies using an allow list on their gateways to specify the external addresses, to which encrypted connections are permitted, SHOULD specify allow list addresses by domain name or IP address. |
|
23 |
| NZISM_v3.7 |
14.3.10.C.03. |
NZISM_v3.7_14.3.10.C.03. |
NZISM v3.7 14.3.10.C.03. |
Web Applications |
14.3.10.C.03. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. |
Shared |
n/a |
If agencies do not allow list websites they SHOULD deny list websites to prevent access to known malicious websites. |
|
22 |
| NZISM_v3.7 |
14.3.10.C.04. |
NZISM_v3.7_14.3.10.C.04. |
NZISM v3.7 14.3.10.C.04. |
Web Applications |
14.3.10.C.04. - maintain control over network traffic and reduces the likelihood of exposure to malicious content or activities. |
Shared |
n/a |
Agencies deny listing websites SHOULD update the deny list on a frequent basis to ensure that it remains effective. |
|
22 |
| NZISM_v3.7 |
17.8.10.C.01. |
NZISM_v3.7_17.8.10.C.01. |
NZISM v3.7 17.8.10.C.01. |
Internet Protocol Security (IPSec) |
17.8.10.C.01. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies SHOULD use tunnel mode for IPSec connections. |
|
22 |
| NZISM_v3.7 |
17.8.10.C.02. |
NZISM_v3.7_17.8.10.C.02. |
NZISM v3.7 17.8.10.C.02. |
Internet Protocol Security (IPSec) |
17.8.10.C.02. - enhance overall cybersecurity posture. |
Shared |
n/a |
Agencies choosing to use transport mode SHOULD additionally use an IP tunnel for IPSec connections. |
|
35 |
| NZISM_v3.7 |
19.1.10.C.01. |
NZISM_v3.7_19.1.10.C.01. |
NZISM v3.7 19.1.10.C.01. |
Gateways |
19.1.10.C.01. - ensure that the security requirements are consistently upheld throughout the network hierarchy, from the lowest to the highest networks. |
Shared |
n/a |
When agencies have cascaded connections between networks involving multiple gateways they MUST ensure that the assurance levels specified for network devices between the overall lowest and highest networks are met by the gateway between the highest network and the next highest network within the cascaded connection. |
|
46 |
| NZISM_v3.7 |
19.1.11.C.01. |
NZISM_v3.7_19.1.11.C.01. |
NZISM v3.7 19.1.11.C.01. |
Gateways |
19.1.11.C.01. - ensure network protection through gateway mechanisms. |
Shared |
n/a |
Agencies MUST ensure that:
1. all agency networks are protected from networks in other security domains by one or more gateways;
2. all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and
3. all gateway components, discrete and virtual, are physically located within an appropriately secured server room. |
|
45 |
| NZISM_v3.7 |
19.1.11.C.02. |
NZISM_v3.7_19.1.11.C.02. |
NZISM v3.7 19.1.11.C.02. |
Gateways |
19.1.11.C.02. - maintain security and integrity across domains. |
Shared |
n/a |
For gateways between networks in different security domains, any shared components MUST be managed by the system owners of the highest security domain or by a mutually agreed party. |
|
44 |
| NZISM_v3.7 |
19.1.12.C.01. |
NZISM_v3.7_19.1.12.C.01. |
NZISM v3.7 19.1.12.C.01. |
Gateways |
19.1.12.C.01. - minimize security risks and ensure effective control over network communications |
Shared |
n/a |
Agencies MUST ensure that gateways:
1. are the only communications paths into and out of internal networks;
2. by default, deny all connections into and out of the network;
3. allow only explicitly authorised connections;
4. are managed via a secure path isolated from all connected networks (i.e. physically at the gateway or on a dedicated administration network);
5. provide sufficient logging and audit capabilities to detect information security incidents, attempted intrusions or anomalous usage patterns; and
6. provide real-time alerts. |
|
43 |
| NZISM_v3.7 |
19.1.14.C.01. |
NZISM_v3.7_19.1.14.C.01. |
NZISM v3.7 19.1.14.C.01. |
Gateways |
19.1.14.C.01. - enhance security by segregating resources from the internal network. |
Shared |
n/a |
Agencies MUST use demilitarised zones to house systems and information directly accessed externally. |
|
37 |
| NZISM_v3.7 |
19.1.14.C.02. |
NZISM_v3.7_19.1.14.C.02. |
NZISM v3.7 19.1.14.C.02. |
Gateways |
19.1.14.C.02. - enhance security by segregating resources from the internal network. |
Shared |
n/a |
Agencies SHOULD use demilitarised zones to house systems and information directly accessed externally. |
|
37 |
| NZISM_v3.7 |
19.1.19.C.01. |
NZISM_v3.7_19.1.19.C.01. |
NZISM v3.7 19.1.19.C.01. |
Gateways |
19.1.19.C.01. - enhance security posture. |
Shared |
n/a |
Agencies MUST limit access to gateway administration functions. |
|
33 |
| NZISM_v3.7 |
19.2.16.C.02. |
NZISM_v3.7_19.2.16.C.02. |
NZISM v3.7 19.2.16.C.02. |
Cross Domain Solutions (CDS) |
19.2.16.C.02. - maintain security and prevent unauthorized access or disclosure of sensitive information.
|
Shared |
n/a |
Agencies MUST NOT implement a gateway permitting data to flow directly from:
1. a TOP SECRET network to any network below SECRET;
2. a SECRET network to an UNCLASSIFIED network; or
3. a CONFIDENTIAL network to an UNCLASSIFIED network. |
|
33 |
| NZISM_v3.7 |
19.2.18.C.01. |
NZISM_v3.7_19.2.18.C.01. |
NZISM v3.7 19.2.18.C.01. |
Cross Domain Solutions (CDS) |
19.2.18.C.01. - enhance data security and prevent unauthorized access or leakage between classified networks and less classified networks. |
Shared |
n/a |
Agencies MUST ensure that all bi-directional gateways between TOP SECRET and SECRET networks, SECRET and less classified networks, and CONFIDENTIAL and less classified networks, have separate upward and downward paths which use a diode and physically separate infrastructure for each path. |
|
33 |
| NZISM_v3.7 |
19.2.19.C.01. |
NZISM_v3.7_19.2.19.C.01. |
NZISM v3.7 19.2.19.C.01. |
Cross Domain Solutions (CDS) |
19.2.19.C.01. - ensure the integrity and reliability of information accessed or received.
|
Shared |
n/a |
Trusted sources MUST be:
1. a strictly limited list derived from business requirements and the result of a security risk assessment;
2. where necessary an appropriate security clearance is held; and
3. approved by the Accreditation Authority. |
|
33 |
| PCI_DSS_v4.0.1 |
3.5.1.2 |
PCI_DSS_v4.0.1_3.5.1.2 |
PCI DSS v4.0.1 3.5.1.2 |
Protect Stored Account Data |
If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows: on removable electronic media OR if used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1 |
Shared |
n/a |
Examine encryption processes to verify that, if disk-level or partition-level encryption is used to render PAN unreadable, it is implemented only as follows: on removable electronic media, OR if used for non-removable electronic media, examine encryption processes used to verify that PAN is also rendered unreadable via another method that meets Requirement 3.5.1. Examine configurations and/or vendor documentation and observe encryption processes to verify the system is configured according to vendor documentation the result is that the disk or the partition is rendered unreadable |
|
9 |
| RBI_ITF_NBFC_v2017 |
3.1.h |
RBI_ITF_NBFC_v2017_3.1.h |
RBI IT Framework 3.1.h |
Information and Cyber Security |
Public Key Infrastructure (PKI)-3.1 |
|
n/a |
The IS Policy must provide for a IS framework with the following basic tenets:
Public Key Infrastructure (PKI) - NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. |
link |
31 |
| SOC_2023 |
CC2.3 |
SOC_2023_CC2.3 |
SOC 2023 CC2.3 |
Information and Communication |
Facilitate effective internal communication. |
Shared |
n/a |
Entity to communicate with external parties regarding matters affecting the functioning of internal control. |
|
214 |
| SOC_2023 |
CC5.3 |
SOC_2023_CC5.3 |
SOC 2023 CC5.3 |
Control Activities |
Maintain alignment with organizational objectives and regulatory requirements. |
Shared |
n/a |
Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. |
|
225 |
| SOC_2023 |
CC7.4 |
SOC_2023_CC7.4 |
SOC 2023 CC7.4 |
Systems Operations |
Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. |
Shared |
n/a |
The entity responds to identified security incidents by:
a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities;
b. Establishing procedures to contain security incidents;
c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents;
d. Restoring operations;
e. Developing and Implementing Communication Protocols for Security Incidents;
f. Obtains Understanding of Nature of Incident and Determines Containment Strategy;
g. Remediation Identified Vulnerabilities;
h. Communicating Remediation Activities; and,
i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. |
|
209 |
| UK_NCSC_CAF_v3.2 |
C1.b |
UK_NCSC_CAF_v3.2_C1.b |
NCSC Cyber Assurance Framework (CAF) v3.2 C1.b |
Security Monitoring |
Securing Logs |
Shared |
1. The integrity of logging data is protected, or any modification is detected and attributed.
2. The logging architecture has mechanisms, processes and procedures to ensure that it can protect itself from threats comparable to those it is trying to identify. This includes protecting the function itself, and the data within it.
3. Log data analysis and normalisation is only performed on copies of the data keeping the master copy unaltered.
4. Logging datasets are synchronised, using an accurate common time source, so that separate datasets can be correlated in different ways.
5. Access to logging data is limited to those with business need and no others.
6. All actions involving all logging data (e.g. copying, deleting or modification, or even viewing) can be traced back to a unique user.
7. Legitimate reasons for accessing logging data are given in use policies. |
Hold logging data securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted. |
|
11 |