last sync: 2024-Oct-10 19:12:06 UTC

Verify personal data is deleted at the end of processing | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Verify personal data is deleted at the end of processing
Id c6b877a6-5d6d-1862-4b7f-3ccc30b25b63
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0540 - Verify personal data is deleted at the end of processing
Additional metadata Name/Id: CMA_0540 / CMA_0540
Category: Operational
Title: Verify personal data is deleted at the end of processing
Ownership: Customer
Description: Microsoft recommends that your organization delete personal data at the end of processing or when the data subject revokes consent. The following circumstances are exceptions from the obligation to delete personal data at the end of processing: compliance with a regulatory obligation, research studies ensuring anonymization of personal data, third party transfers, or for exclusive use by your organization where third-party access is prohibited and the data has been anonymized. It is encouraged to restrict access to the data if your organization is unable to delete the data at the end of processing or when the data subject revokes consent. It is recommended to ensure that data is properly deletion and disposed of. If the deletion or disposition of data is delegated to a third party, it is recommended to monitor the third party to prohibit and avoid unauthorized access, acquisition, or use of personal information during the collection, transportation, and disposal of materials containing personal information.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 24 compliance controls are associated with this Policy definition 'Verify personal data is deleted at the end of processing' (c6b877a6-5d6d-1862-4b7f-3ccc30b25b63)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 0670.10hCSPSystem.2-10.h hipaa-0670.10hCSPSystem.2-10.h 0670.10hCSPSystem.2-10.h 06 Configuration Management 0670.10hCSPSystem.2-10.h 10.04 Security of System Files Shared n/a Structured and unstructured data is available to the organization (customer) and provided to them upon request in an industry-standard format (e.g., .docx, .xlsx, pdf, logs, and flat files). 3
hipaa 1211.09aa3System.4-09.aa hipaa-1211.09aa3System.4-09.aa 1211.09aa3System.4-09.aa 12 Audit Logging & Monitoring 1211.09aa3System.4-09.aa 09.10 Monitoring Shared n/a The organization verifies every 90 days for each extract of covered information recorded that the data is erased or its use is still required. 9
hipaa 1713.03c1Organizational.3-03.c hipaa-1713.03c1Organizational.3-03.c 1713.03c1Organizational.3-03.c 17 Risk Management 1713.03c1Organizational.3-03.c 03.01 Risk Management Program Shared n/a The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. 9
hipaa 1826.09p1Organizational.1-09.p hipaa-1826.09p1Organizational.1-09.p 1826.09p1Organizational.1-09.p 18 Physical & Environmental Security 1826.09p1Organizational.1-09.p 09.07 Media Handling Shared n/a The organization securely disposes of media containing sensitive information. 3
hipaa 1904.06.d2Organizational.1-06.d hipaa-1904.06.d2Organizational.1-06.d 1904.06.d2Organizational.1-06.d 19 Data Protection & Privacy 1904.06.d2Organizational.1-06.d 06.01 Compliance with Legal Requirements Shared n/a Covered information is retained only for as long as required. 3
hipaa 19142.06c1Organizational.8-06.c hipaa-19142.06c1Organizational.8-06.c 19142.06c1Organizational.8-06.c 19 Data Protection & Privacy 19142.06c1Organizational.8-06.c 06.01 Compliance with Legal Requirements Shared n/a Guidelines are issued by the organization on the ownership, classification, retention, storage, handling and disposal of all records and information. 9
hipaa 19144.06c2Organizational.1-06.c hipaa-19144.06c2Organizational.1-06.c 19144.06c2Organizational.1-06.c 19 Data Protection & Privacy 19144.06c2Organizational.1-06.c 06.01 Compliance with Legal Requirements Shared n/a The organization has established a formal records document retention program. 7
hipaa 19145.06c2Organizational.2-06.c hipaa-19145.06c2Organizational.2-06.c 19145.06c2Organizational.2-06.c 19 Data Protection & Privacy 19145.06c2Organizational.2-06.c 06.01 Compliance with Legal Requirements Shared n/a Specific controls for record storage, access, retention, and destruction have been implemented. 8
ISO27001-2013 A.11.2.7 ISO27001-2013_A.11.2.7 ISO 27001:2013 A.11.2.7 Physical And Environmental Security Secure disposal or re-use of equipment Shared n/a All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. link 5
ISO27001-2013 A.12.3.1 ISO27001-2013_A.12.3.1 ISO 27001:2013 A.12.3.1 Operations Security Information backup Shared n/a Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. link 13
ISO27001-2013 A.12.4.2 ISO27001-2013_A.12.4.2 ISO 27001:2013 A.12.4.2 Operations Security Protection of log information Shared n/a Logging facilities and log information shall be protected against tampering and unauthorized access. link 8
ISO27001-2013 A.14.3.1 ISO27001-2013_A.14.3.1 ISO 27001:2013 A.14.3.1 System Acquisition, Development And Maintenance Protection of test data Shared n/a Test data shall be selected carefully, protected and controlled. link 11
mp.info.6 Backups mp.info.6 Backups 404 not found n/a n/a 65
mp.si.2 Cryptography mp.si.2 Cryptography 404 not found n/a n/a 32
mp.si.5 Erasure and destruction mp.si.5 Erasure and destruction 404 not found n/a n/a 9
mp.sw.1 IT Aplications development mp.sw.1 IT Aplications development 404 not found n/a n/a 51
mp.sw.2 Acceptance and commissioning mp.sw.2 Acceptance and commissioning 404 not found n/a n/a 60
PCI_DSS_v4.0 3.2.1 PCI_DSS_v4.0_3.2.1 PCI DSS v4.0 3.2.1 Requirement 03: Protect Stored Account Data Storage of account data is kept to a minimum Shared n/a Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: • Coverage for all locations of stored account data. • Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. • Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy. • A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. link 8
PCI_DSS_v4.0 3.3.1 PCI_DSS_v4.0_3.3.1 PCI DSS v4.0 3.3.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.1 PCI_DSS_v4.0_3.3.1.1 PCI DSS v4.0 3.3.1.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The full contents of any track are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.3 PCI_DSS_v4.0_3.3.1.3 PCI DSS v4.0 3.3.1.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 9.4.6 PCI_DSS_v4.0_9.4.6 PCI DSS v4.0 9.4.6 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows: • Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed. • Materials are stored in secure storage containers prior to destruction. link 4
PCI_DSS_v4.0 9.4.7 PCI_DSS_v4.0_9.4.7 PCI DSS v4.0 9.4.7 Requirement 09: Restrict Physical Access to Cardholder Data Media with cardholder data is securely stored, accessed, distributed, and destroyed Shared n/a Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons via one of the following: • The electronic media is destroyed. • The cardholder data is rendered unrecoverable so that it cannot be reconstructed. link 4
SOC_2 P4.3 SOC_2_P4.3 SOC 2 Type 2 P4.3 Additional Criteria For Privacy Personal information disposal Shared The customer is responsible for implementing this recommendation. • Captures, Identifies, and Flags Requests for Deletion — Requests for deletion of personal information are captured and information related to the requests is identified and flagged for destruction to meet the entity’s objectives related to privacy. • Disposes of, Destroys, and Redacts Personal Information — Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access. • Destroys Personal Information — Policies and procedures are implemented to erase or otherwise destroy personal information that has been identified for destruction. 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add c6b877a6-5d6d-1862-4b7f-3ccc30b25b63
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC