DSP-14: Disclosure of Data Sub-processors

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures to disclose the details of any personal or sensitive data access by sub-processors to the data owner prior to initiation of that processing.

Implementation Guidance

The CSP should document and notify the data owner of the data that will be accessed by sub-processors. Information may include, but are not limited to, categories of data, special categories of data, and processing operations.

Auditing Guidance

  1. Examine the organization's contractual requirements and procedures whereby sub-processors will disclose all occasions when personal or sensitive data was accessible by sub-processors prior to initiation of that processing.
  2. Establish whether the organization has documented the roles and responsibilities for this process.
  3. Select a sample of data transfers to sub-processors to establish that the controls and reporting the sub-processor are in place and ensure that these comply with the organization's data privacy and security policy.

Note: A real-life case will be rare. Should it not be possible to follow a real-life case, a theoretical case should be tested to establish that systems, processes, and controls are operating as designed and as agreed with the sub-processor.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.