Sanitize customer data from all shared resources upon agreement termination.
CONTROL ID 12175
CONTROL TYPE Records Management
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a virtual environment and shared resources security program., CC ID: 06551
This Control has the following implementation support Control(s):
Return all unstructured data from all shared resources upon agreement termination., CC ID: 12336
Remove data remnants in terminated Virtual Machines., CC ID: 12168
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
In the event of a termination of outsourcing agreement, for whatever reason, AIs should ensure that all customer data is either retrieved from the service provider or destroyed. (2.5.4, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
Is all client data securely purged from all CSP systems upon termination of the agreement? (Appendix D, Protect Cardholder Data Bullet 13, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
Could de-provisioned credentials be retained in offline images? (Appendix D, Implement Strong Access Control Measures Bullet 7 Sub-bullet 2, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
Implementing procedures for terminating vendor and business partner relationships based on predefined considerations. Those procedures may include safe return of data and its removal from the vendor or business partner system. (¶ 3.164 Bullet 9, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Cryptographic Erase, described in Section 5.11.1, Cryptographic Erase, provides a high- assurance way of ensuring data at rest can no longer be read. Upon successful transfer of data out of a CSO, mission owners with data that is encrypted at rest must cryptographically erase all such mission data a… (Section 5.8 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Contracts specify the security requirements for the return or destruction of data upon contract termination. (Domain 4: Assessment Factor: Relationship Management, CONTRACTS Baseline 2 ¶ 6, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
Contractual responsibilities, capabilities, and restrictions for the financial institution and cloud service provider. Contracts between the financial institution and cloud service provider should be drafted to clearly define which party has responsibilities for configuration and management of syste… (Risk Management Cloud Security Management Bullet 2, FFIEC Security in a Cloud Computing Environment)
