IPY-04: Data Portability Contractual Obligations

CSF v1.1 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Agreements must include provisions specifying CSCs access to data upon contract termination and will include:

  1. Data format
  2. Length of time the data will be stored
  3. Scope of the data retained and made available to the CSCs
  4. Data deletion policy

Implementation Guidance

N/A (This field is intentionally left blank)

Auditing Guidance

  1. Examine the standard form of contract for offboarding the Cloud Service Consumers.
  2. Determine if non-standard clauses allow the Cloud Service Consumers to waive such rights.
  3. Determine if there are requests for data in unsupported formats.
  4. Examine the policy regarding deletion of resources no longer in the control of a client, and determine if such policy corresponds to the contractual data retention.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.