AzPolicyAdvertizer

last sync: 2025-Nov-03 18:22:57 UTC

Establish privacy requirements for contractors and service providers | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Establish privacy requirements for contractors and service providers

f8d141b7-4e21-62a6-6608-c79336e36bc9

Version

1.1.0
Details on versioning

Versioning

Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]

Category

Regulatory Compliance
Microsoft Learn

Description

CMA_C1810 - Establish privacy requirements for contractors and service providers

Cloud environments

AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown

Available in AzUSGov

The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'

Additional metadata

Name/Id: CMA_C1810 / CMA_C1810
Category: Operational
Title: Establish privacy requirements for contractors and service providers
Ownership: Customer
Description: The customer is responsible for establishing privacy roles, responsibilities, and access requirements for contractors and service providers.
Requirements: The customer is responsible for implementing this recommendation.

Mode

All

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Manual
Allowed
Manual, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (1)

Microsoft.Resources/subscriptions

Compliance

The following 6 compliance controls are associated with this Policy definition 'Establish privacy requirements for contractors and service providers' (f8d141b7-4e21-62a6-6608-c79336e36bc9)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
hipaa	1432.05k1Organizational.89-05.k	hipaa-1432.05k1Organizational.89-05.k	1432.05k1Organizational.89-05.k	14 Third Party Assurance	1432.05k1Organizational.89-05.k 05.02 External Parties	Shared	n/a	The organization ensures a screening process is carried out for contractors and third-party users, and, where contractors are provided through an organization, the contract with the organization clearly specifies (i) the organization's responsibilities for screening and the notification procedures they need to follow if screening has not been completed, or if the results give cause for doubt or concern; and, (ii) all responsibilities and notification procedures for screening.		7
ISO27001-2013	A.5.1.1	ISO27001-2013_A.5.1.1	ISO 27001:2013 A.5.1.1	Information Security Policies	Policies for information security	Shared	n/a	A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.	link	42
ISO27001-2013	C.4.3.c	ISO27001-2013_C.4.3.c	ISO 27001:2013 C.4.3.c	Context of the organization	Determining the scope of the information security management system	Shared	n/a	The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organization shall consider: c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information.	link	18
	mp.s.2 Protection of web services and applications	mp.s.2 Protection of web services and applications	404 not found				n/a	n/a		102
	org.1 Security policy	org.1 Security policy	404 not found				n/a	n/a		94
SOC_2	P6.1	SOC_2_P6.1	SOC 2 Type 2 P6.1	Additional Criteria For Privacy	Personal information third party disclosure	Shared	The customer is responsible for implementing this recommendation.	• Communicates Privacy Policies to Third Parties — Privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed. • Discloses Personal Information Only When Appropriate — Personal information is disclosed to third parties only for the purposes for which it was collected or created and only when implicit or explicit consent has been obtained from the data subject, unless a law or regulation specifically requires otherwise. • Discloses Personal Information Only to Appropriate Third Parties — Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements. • Discloses Information to Third Parties for New Purposes and Uses — Personal information is disclosed to third parties for new purposes or uses only with the prior implicit or explicit consent of data subjects.		15

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type	polSet in AzUSGov
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA	BuiltIn	unknown
ISO 27001:2013	89c6cddc-1c73-4ac1-b19c-54d1a15a42f2	Regulatory Compliance	GA	BuiltIn	true
SOC 2 Type 2	4054785f-702b-4a98-9215-009cbd58b141	Regulatory Compliance	GA	BuiltIn	true
Spain ENS	175daf90-21e1-4fec-b745-7b4c909aa94c	Regulatory Compliance	GA	BuiltIn	unknown

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-27 16:35:32	change	Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29	add	f8d141b7-4e21-62a6-6608-c79336e36bc9

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC