The CSP must have in place, and describe to CSCs the procedure to manage and respond to requests for disclosure of Personal Data by Law Enforcement Authorities according to applicable laws and regulations. The CSP must give special attention to the notification procedure to interested CSCs, unless otherwise prohibited, such as a prohibition under criminal law to preserve confidentiality of a law enforcement investigation.
The CSP should have a process that describes how to respond to requests by law enforcement authorities, such as a subpoena, official investigations, or legal proceedings initiated by governmental and/or law enforcement officials. This process should be transparent to the interested CSCs unless otherwise prohibited.
- Examine the organization's procedures and technical requirements related to personal data requests from law enforcement authorities.
- Establish that processes and controls comply with the organization's data privacy and security policy.
- Establish whether the organization has documented the roles and responsibilities for this process.
- Select a sample of requests and assess whether such requests have followed the approvals and secure communication processes through to completion. Confirm that all evidence was formally documented.
- Review the organization's data breaches for examples for which this requirement was not followed correctly. Further, confirm that relevant action plans were identified and carried out.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.