Authority Document - Unified Compliance

International > International Organization for Standardization

ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition

AD ID

0002421

AD STATUS

ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

For Purchase

SYNONYMS

ISO/IEC 27002:2013(E)

ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls

EFFECTIVE

2013-10-01

ADDED

The document as a whole was last reviewed and released on 2016-11-18T00:00:00-0800.

URL

Click here

AD ID

0002421

AD STATUS

For Purchase

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO/IEC 27002:2013(E)

ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls

EFFECTIVE

2013-10-01

ADDED

The document as a whole was last reviewed and released on 2016-11-18T00:00:00-0800.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2023 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 160 Mandated Controls - bold
127 Implied Controls - italic 2483 Implementation

Number of Controls

2770 Total

Acquisition or sale of facilities, technology, and services

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Acquisition or sale of facilities, technology, and services CC ID 01123	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538	Business Processes	Preventive
Establish, implement, and maintain an electronic commerce program. CC ID 08617	Business Processes	Preventive
Establish, implement, and maintain payment transaction security measures. CC ID 13088	Technical Security	Preventive
Protect the integrity of application service transactions. CC ID 12017 [Information involved in application service transactions should be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. § 14.1.3 Control]	Business Processes	Preventive
Acquire products or services. CC ID 11450	Acquisition/Sale of Assets or Services	Preventive
Discourage the modification of vendor-supplied software. CC ID 12016 [Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. § 14.2.4 Control]	Process or Activity	Preventive

Audits and risk management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain an audit program. CC ID 00684	Establish/Maintain Documentation	Preventive
Exercise due professional care during the planning and performance of the audit. CC ID 07119 [Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes. § 12.7.1 Control]	Behavior	Preventive
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes. § 12.7.1 Control]	Establish/Maintain Documentation	Preventive
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077	Establish/Maintain Documentation	Preventive
Include third party assets in the audit scope. CC ID 16504	Audits and Risk Management	Preventive
Include audit subject matter in the audit program. CC ID 07103	Establish/Maintain Documentation	Preventive
Examine the objectivity of the audit criteria in the audit program. CC ID 07104	Establish/Maintain Documentation	Preventive
Examine the measurability of the audit criteria in the audit program. CC ID 07105	Establish/Maintain Documentation	Preventive
Examine the completeness of the audit criteria in the audit program. CC ID 07106	Establish/Maintain Documentation	Preventive
Examine the relevance of the audit criteria in the audit program. CC ID 07107	Establish/Maintain Documentation	Preventive
Determine the appropriateness of the audit subject matter. CC ID 16505	Audits and Risk Management	Preventive
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116	Establish/Maintain Documentation	Preventive
Include the in scope material or in scope products in the audit program. CC ID 08961	Audits and Risk Management	Preventive
Include in scope information in the audit program. CC ID 16198	Establish/Maintain Documentation	Preventive
Include the out of scope material or out of scope products in the audit program. CC ID 08962	Establish/Maintain Documentation	Preventive
Provide a representation letter in support of the audit assertion. CC ID 07158	Establish/Maintain Documentation	Preventive
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942	Establish/Maintain Documentation	Preventive
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934	Establish/Maintain Documentation	Preventive
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884	Establish/Maintain Documentation	Preventive
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159	Establish/Maintain Documentation	Preventive
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160	Establish/Maintain Documentation	Preventive
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161	Establish/Maintain Documentation	Preventive
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162	Establish/Maintain Documentation	Preventive
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163	Establish/Maintain Documentation	Preventive
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164	Establish/Maintain Documentation	Preventive
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165	Establish/Maintain Documentation	Preventive
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899	Establish/Maintain Documentation	Preventive
Establish and maintain audit assertions, as necessary. CC ID 14871	Establish/Maintain Documentation	Detective
Include an in scope system description in the audit assertion. CC ID 14872	Establish/Maintain Documentation	Preventive
Include any assumptions that are improbable in the audit assertion. CC ID 13950	Establish/Maintain Documentation	Preventive
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969	Establish/Maintain Documentation	Preventive
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027	Establish/Maintain Documentation	Preventive
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970	Establish/Maintain Documentation	Preventive
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949	Establish/Maintain Documentation	Preventive
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028	Establish/Maintain Documentation	Preventive
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971	Establish/Maintain Documentation	Preventive
Include the in scope procedures in the audit assertion. CC ID 06972	Establish/Maintain Documentation	Preventive
Include the in scope records produced in the audit assertion. CC ID 06968	Establish/Maintain Documentation	Preventive
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973	Establish/Maintain Documentation	Preventive
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991	Establish/Maintain Documentation	Preventive
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974	Establish/Maintain Documentation	Preventive
Include the in scope risk assessment processes in the audit assertion. CC ID 06975	Establish/Maintain Documentation	Preventive
Include in scope change controls in the audit assertion. CC ID 06976	Establish/Maintain Documentation	Preventive
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989	Establish/Maintain Documentation	Preventive
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967	Establish/Maintain Documentation	Preventive
Include the scope for the desired level of assurance in the audit program. CC ID 12793	Communicate	Preventive
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149	Establish/Maintain Documentation	Preventive
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988	Establish/Maintain Documentation	Preventive
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795	Audits and Risk Management	Preventive
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794	Establish/Maintain Documentation	Preventive
Include the expectations for the audit report in the audit terms. CC ID 07148	Establish/Maintain Documentation	Preventive
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888	Establish/Maintain Documentation	Preventive
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain a risk management program. CC ID 12051	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and Risk Management	Preventive
Analyze and quantify the risks to in scope systems and information. CC ID 00701	Audits and Risk Management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703	Audits and Risk Management	Preventive
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]	Audits and Risk Management	Detective
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]	Establish/Maintain Documentation	Corrective
Review and approve the risk assessment findings. CC ID 06485	Establish/Maintain Documentation	Preventive

Human Resources management

113

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a personnel management program. CC ID 14018	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Establish/Maintain Documentation	Preventive
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782	Testing	Detective
Establish, implement, and maintain personnel screening procedures. CC ID 11700	Establish/Maintain Documentation	Preventive
Perform a background check during personnel screening. CC ID 11758 [Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. § 7.1.1 Control Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. § 7.1.1 Control]	Human Resources Management	Detective
Perform a personal identification check during personnel screening. CC ID 06721	Human Resources Management	Preventive
Perform a criminal records check during personnel screening. CC ID 06643	Establish/Maintain Documentation	Preventive
Include all residences in the criminal records check. CC ID 13306	Process or Activity	Preventive
Document any reasons a full criminal records check could not be performed. CC ID 13305	Establish/Maintain Documentation	Preventive
Perform a personal references check during personnel screening. CC ID 06645	Human Resources Management	Preventive
Perform a credit check during personnel screening. CC ID 06646	Human Resources Management	Preventive
Perform an academic records check during personnel screening. CC ID 06647	Establish/Maintain Documentation	Preventive
Perform a drug test during personnel screening. CC ID 06648	Testing	Preventive
Perform a resume check during personnel screening. CC ID 06659	Human Resources Management	Preventive
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources Management	Preventive
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. § 7.3.1 Control]	Establish/Maintain Documentation	Preventive
Terminate user accounts when notified that an individual is terminated. CC ID 11614	Technical Security	Corrective
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change. § 9.2.6 Control]	Technical Security	Corrective
Assign an owner of the personnel status change and termination procedures. CC ID 11805	Human Resources Management	Preventive
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309	Data and Information Management	Corrective
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283	Human Resources Management	Preventive
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677	Behavior	Preventive
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. § 7.3.1 Control]	Communicate	Preventive
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. § 7.3.1 Control]	Human Resources Management	Preventive
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692	Human Resources Management	Corrective
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Behavior	Preventive
Conduct exit interviews upon termination of employment. CC ID 14290	Human Resources Management	Preventive
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631	Establish/Maintain Documentation	Preventive
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449	Human Resources Management	Detective
Train all personnel and third parties, as necessary. CC ID 00785 [{security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control {security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control]	Behavior	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671	Business Processes	Preventive
Support certification programs as viable training programs. CC ID 13268	Human Resources Management	Preventive
Include evidence of experience in applications for professional certification. CC ID 16193	Establish/Maintain Documentation	Preventive
Include supporting documentation in applications for professional certification. CC ID 16195	Establish/Maintain Documentation	Preventive
Submit applications for professional certification. CC ID 16192	Training	Preventive
Retrain all personnel, as necessary. CC ID 01362 [{security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control {security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control]	Behavior	Preventive
Tailor training to meet published guidance on the subject being taught. CC ID 02217	Behavior	Preventive
Tailor training to be taught at each person's level of responsibility. CC ID 06674	Behavior	Preventive
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Behavior	Preventive
Document all training in a training record. CC ID 01423	Establish/Maintain Documentation	Detective
Use automated mechanisms in the training environment, where appropriate. CC ID 06752	Behavior	Preventive
Conduct tests and evaluate training. CC ID 06672	Testing	Detective
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources Management	Preventive
Review the current published guidance and awareness and training programs. CC ID 01245	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain training plans. CC ID 00828	Establish/Maintain Documentation	Preventive
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383	Training	Detective
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387	Training	Preventive
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386	Training	Preventive
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385	Training	Detective
Develop or acquire content to update the training plans. CC ID 12867	Training	Preventive
Designate training facilities in the training plan. CC ID 16200	Training	Preventive
Include portions of the visitor control program in the training plan. CC ID 13287	Establish/Maintain Documentation	Preventive
Include ethical culture in the training plan, as necessary. CC ID 12801	Human Resources Management	Preventive
Include in scope external requirements in the training plan, as necessary. CC ID 13041	Training	Preventive
Include duties and responsibilities in the training plan, as necessary. CC ID 12800	Human Resources Management	Preventive
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192	Training	Preventive
Include risk management in the training plan, as necessary. CC ID 13040	Training	Preventive
Conduct Archives and Records Management training. CC ID 00975	Behavior	Preventive
Conduct personal data processing training. CC ID 13757	Training	Preventive
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758	Training	Preventive
Include the cloud service usage standard in the training plan. CC ID 13039	Training	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Establish/Maintain Documentation	Preventive
Include compliance requirements in the security awareness and training policy. CC ID 14092	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Communicate	Preventive
Include management commitment in the security awareness and training policy. CC ID 14049	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Establish/Maintain Documentation	Preventive
Include the scope in the security awareness and training policy. CC ID 14047	Establish/Maintain Documentation	Preventive
Include the purpose in the security awareness and training policy. CC ID 14045	Establish/Maintain Documentation	Preventive
Include configuration management procedures in the security awareness program. CC ID 13967	Establish/Maintain Documentation	Preventive
Include media protection in the security awareness program. CC ID 16368	Training	Preventive
Document security awareness requirements. CC ID 12146	Establish/Maintain Documentation	Preventive
Include safeguards for information systems in the security awareness program. CC ID 13046	Establish/Maintain Documentation	Preventive
Include security policies and security standards in the security awareness program. CC ID 13045	Establish/Maintain Documentation	Preventive
Include physical security in the security awareness program. CC ID 16369	Training	Preventive
Include mobile device security guidelines in the security awareness program. CC ID 11803	Establish/Maintain Documentation	Preventive
Include updates on emerging issues in the security awareness program. CC ID 13184	Training	Preventive
Include cybersecurity in the security awareness program. CC ID 13183	Training	Preventive
Include implications of non-compliance in the security awareness program. CC ID 16425	Training	Preventive
Include the acceptable use policy in the security awareness program. CC ID 15487	Training	Preventive
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802	Establish/Maintain Documentation	Preventive
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800	Establish/Maintain Documentation	Preventive
Include remote access in the security awareness program. CC ID 13892	Establish/Maintain Documentation	Preventive
Document the goals of the security awareness program. CC ID 12145	Establish/Maintain Documentation	Preventive
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Establish/Maintain Documentation	Preventive
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151	Human Resources Management	Preventive
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources Management	Preventive
Document the scope of the security awareness program. CC ID 12148	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Establish/Maintain Documentation	Preventive
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources Management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Behavior	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Employees and contractors using the organization’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services. § 16.1.3 Control]	Behavior	Preventive
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Training	Preventive
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 [Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. § 7.2.1 Control]	Establish/Maintain Documentation	Preventive
Monitor and measure the effectiveness of security awareness. CC ID 06262	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200	Establish/Maintain Documentation	Preventive
Conduct secure coding and development training for developers. CC ID 06822	Behavior	Corrective
Conduct tampering prevention training. CC ID 11875	Training	Preventive
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877	Training	Preventive
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876	Training	Preventive
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879	Training	Preventive
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878	Training	Preventive
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990	Training	Preventive
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658	Training	Preventive
Conduct crime prevention training. CC ID 06350	Behavior	Preventive
Analyze and evaluate training records to improve the training program. CC ID 06380	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain a Code of Conduct. CC ID 04897	Establish/Maintain Documentation	Preventive
Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029 [The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security. § 7.1.2 Control]	Human Resources Management	Preventive
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [{implement} There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. § 7.2.3 Control]	Behavior	Corrective
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632	Communicate	Preventive

Leadership and high level objectives

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Analyze organizational objectives, functions, and activities. CC ID 00598	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain organizational objectives. CC ID 09959	Establish/Maintain Documentation	Preventive
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398	Establish/Maintain Documentation	Preventive
Review the organization's approach to managing information security, as necessary. CC ID 12005 [The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur. § 18.2.1 Control]	Business Processes	Preventive
Establish, implement, and maintain an information classification standard. CC ID 00601	Establish/Maintain Documentation	Preventive
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]	Data and Information Management	Preventive
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]	Data and Information Management	Preventive
Classify the value of information in the information classification standard. CC ID 11995 [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]	Data and Information Management	Preventive
Classify the legal requirements of information in the information classification standard. CC ID 11994 [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]	Data and Information Management	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Establish/Maintain Documentation	Preventive
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. § 8.1.1 Control All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control]	Business Processes	Preventive
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Establish/Maintain Documentation	Preventive
Establish and maintain an Authority Document list. CC ID 07113 [All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control]	Establish/Maintain Documentation	Preventive
Map in scope assets and in scope records to external requirements. CC ID 12189	Establish/Maintain Documentation	Detective
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636	Establish/Maintain Documentation	Preventive
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Communicate	Preventive
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312	Establish/Maintain Documentation	Preventive
Classify controls according to their preventive, detective, or corrective status. CC ID 06436	Establish/Maintain Documentation	Preventive
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727	Establish/Maintain Documentation	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Establish/Maintain Documentation	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Establish/Maintain Documentation	Corrective
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the Statement on Internal Control CC ID 14774	Establish/Maintain Documentation	Preventive
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Establish/Maintain Documentation	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Establish/Maintain Documentation	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Establish/Maintain Documentation	Preventive
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Establish/Maintain Documentation	Detective
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956	Establish Roles	Preventive
Define the Information Assurance strategic roles and responsibilities. CC ID 00608	Establish Roles	Preventive
Establish and maintain a compliance oversight committee. CC ID 00765	Establish Roles	Detective
Address Information Security during the business planning processes. CC ID 06495 [Information security should be addressed in project management, regardless of the type of the project. § 6.1.5 Control]	Data and Information Management	Preventive
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498	Establish/Maintain Documentation	Preventive

Monitoring and measurement

119

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 [Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. § 12.4.1 Control]	Log Management	Detective
Establish, implement, and maintain an audit and accountability policy. CC ID 14035	Establish/Maintain Documentation	Preventive
Include compliance requirements in the audit and accountability policy. CC ID 14103	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the audit and accountability policy. CC ID 14102	Establish/Maintain Documentation	Preventive
Include the purpose in the audit and accountability policy. CC ID 14100	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the audit and accountability policy. CC ID 14098	Establish/Maintain Documentation	Preventive
Include management commitment in the audit and accountability policy. CC ID 14097	Establish/Maintain Documentation	Preventive
Include the scope in the audit and accountability policy. CC ID 14096	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095	Communicate	Preventive
Establish, implement, and maintain audit and accountability procedures. CC ID 14057	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137	Communicate	Preventive
Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 [Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. § 12.4.1 Control]	Log Management	Preventive
Review and approve the use of continuous security management systems. CC ID 13181	Process or Activity	Preventive
Protect continuous security management systems from unauthorized use. CC ID 13097	Configuration	Preventive
Monitor and evaluate system telemetry data. CC ID 14929	Actionable Reports or Measurements	Detective
Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169	Establish/Maintain Documentation	Preventive
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581	Configuration	Preventive
Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035	Behavior	Preventive
Do not intercept communications of any kind when providing a service to clients. CC ID 09985	Behavior	Preventive
Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582	Technical Security	Detective
Monitor systems for inappropriate usage and other security violations. CC ID 00585	Monitor and Evaluate Occurrences	Detective
Monitor systems for blended attacks and multiple component incidents. CC ID 01225	Monitor and Evaluate Occurrences	Detective
Monitor systems for Denial of Service attacks. CC ID 01222	Monitor and Evaluate Occurrences	Detective
Monitor systems for unauthorized data transfers. CC ID 12971	Monitor and Evaluate Occurrences	Preventive
Address operational anomalies within the incident management system. CC ID 11633	Audits and Risk Management	Preventive
Monitor systems for access to restricted data or restricted information. CC ID 04721	Monitor and Evaluate Occurrences	Detective
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950	Human Resources Management	Detective
Detect unauthorized access to systems. CC ID 06798	Monitor and Evaluate Occurrences	Detective
Incorporate potential red flags into the organization's incident management system. CC ID 04652	Monitor and Evaluate Occurrences	Detective
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634	Audits and Risk Management	Preventive
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430	Monitor and Evaluate Occurrences	Detective
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808	Monitor and Evaluate Occurrences	Detective
Monitor systems for unauthorized mobile code. CC ID 10034	Monitor and Evaluate Occurrences	Preventive
Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653	Technical Security	Preventive
Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658	Technical Security	Preventive
Implement detonation chambers, where appropriate. CC ID 10670	Technical Security	Preventive
Define and assign log management roles and responsibilities. CC ID 06311	Establish Roles	Preventive
Document and communicate the log locations to the owning entity. CC ID 12047	Log Management	Preventive
Make logs available for review by the owning entity. CC ID 12046	Log Management	Preventive
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638	Log Management	Detective
Establish, implement, and maintain an event logging policy. CC ID 15217	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain event logging procedures. CC ID 01335	Log Management	Detective
Include the system components that generate audit records in the event logging procedures. CC ID 16426	Data and Information Management	Preventive
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643	Log Management	Preventive
Protect the event logs from failure. CC ID 06290	Log Management	Preventive
Overwrite the oldest records when audit logging fails. CC ID 14308	Data and Information Management	Preventive
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427	Testing	Preventive
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774	Establish/Maintain Documentation	Corrective
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424	Audits and Risk Management	Preventive
Review and update event logs and audit logs, as necessary. CC ID 00596 [System administrator and system operator activities should be logged and the logs protected and regularly reviewed. § 12.4.3 Control Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. § 12.4.1 Control]	Log Management	Detective
Eliminate false positives in event logs and audit logs. CC ID 07047	Log Management	Corrective
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Log Management	Detective
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Technical Security	Detective
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925	Investigate	Corrective
Reproduce the event log if a log failure is captured. CC ID 01426	Log Management	Preventive
Document the event information to be logged in the event information log specification. CC ID 00639	Configuration	Preventive
Enable logging for all systems that meet a traceability criteria. CC ID 00640	Log Management	Detective
Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001	Configuration	Preventive
Enable and configure logging on all network access controls. CC ID 01963	Configuration	Preventive
Analyze firewall logs for the correct capturing of data. CC ID 00549	Log Management	Detective
Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 [The clocks of all relevant information processing systems within an organization or security domain should be synchronised to a single reference time source. § 12.4.4 Control]	Configuration	Preventive
Centralize network time servers to as few as practical. CC ID 06308	Configuration	Preventive
Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044	Communicate	Preventive
Define the frequency to capture and log events. CC ID 06313	Log Management	Preventive
Include logging frequencies in the event logging procedures. CC ID 00642	Log Management	Preventive
Review and update the list of auditable events in the event logging procedures. CC ID 10097	Establish/Maintain Documentation	Preventive
Monitor and evaluate system performance. CC ID 00651	Monitor and Evaluate Occurrences	Detective
Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156	Communicate	Preventive
Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155	Communicate	Preventive
Monitor for and react to when suspicious activities are detected. CC ID 00586	Monitor and Evaluate Occurrences	Detective
Erase payment applications when suspicious activity is confirmed. CC ID 12193	Technical Security	Corrective
Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741	Establish/Maintain Documentation	Corrective
Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727	Monitor and Evaluate Occurrences	Corrective
Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728	Monitor and Evaluate Occurrences	Corrective
Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740	Monitor and Evaluate Occurrences	Corrective
Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729	Monitor and Evaluate Occurrences	Corrective
Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742	Monitor and Evaluate Occurrences	Corrective
Establish, implement, and maintain network monitoring operations. CC ID 16444	Monitor and Evaluate Occurrences	Preventive
Monitor and evaluate the effectiveness of detection tools. CC ID 13505	Investigate	Detective
Monitor and review retail payment activities, as necessary. CC ID 13541	Monitor and Evaluate Occurrences	Detective
Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546	Investigate	Detective
Review retail payment service reports, as necessary. CC ID 13545	Investigate	Detective
Assess customer satisfaction. CC ID 00652	Testing	Detective
Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757	Establish/Maintain Documentation	Detective
Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250	Process or Activity	Detective
Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058	Monitor and Evaluate Occurrences	Detective
Monitor for and report when a software configuration is updated. CC ID 06746	Monitor and Evaluate Occurrences	Detective
Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886	Monitor and Evaluate Occurrences	Detective
Monitor for firmware updates absent authorization. CC ID 10675	Monitor and Evaluate Occurrences	Detective
Implement file integrity monitoring. CC ID 01205	Monitor and Evaluate Occurrences	Detective
Identify unauthorized modifications during file integrity monitoring. CC ID 12096	Technical Security	Detective
Monitor for software configurations updates absent authorization. CC ID 10676	Monitor and Evaluate Occurrences	Preventive
Allow expected changes during file integrity monitoring. CC ID 12090	Technical Security	Preventive
Monitor for when documents are being updated absent authorization. CC ID 10677	Monitor and Evaluate Occurrences	Preventive
Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091	Establish/Maintain Documentation	Preventive
Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045	Process or Activity	Preventive
Monitor and evaluate user account activity. CC ID 07066	Monitor and Evaluate Occurrences	Detective
Develop and maintain a usage profile for each user account. CC ID 07067	Technical Security	Preventive
Log account usage to determine dormant accounts. CC ID 12118	Log Management	Detective
Log account usage times. CC ID 07099	Log Management	Detective
Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068	Monitor and Evaluate Occurrences	Detective
Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069	Monitor and Evaluate Occurrences	Detective
Log account usage durations. CC ID 12117	Monitor and Evaluate Occurrences	Detective
Notify the appropriate personnel after identifying dormant accounts. CC ID 12125	Communicate	Detective
Log Internet Protocol addresses used during logon. CC ID 07100	Log Management	Detective
Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070	Monitor and Evaluate Occurrences	Detective
Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243	Communicate	Detective
Establish, implement, and maintain a testing program. CC ID 00654	Behavior	Preventive
Establish, implement, and maintain a vulnerability management program. CC ID 15721	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636	Establish/Maintain Documentation	Preventive
Perform vulnerability scans, as necessary. CC ID 11637	Technical Security	Detective
Identify and document security vulnerabilities. CC ID 11857 [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]	Technical Security	Detective
Rank discovered vulnerabilities. CC ID 11940	Investigate	Detective
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a log management program. CC ID 00673	Establish/Maintain Documentation	Preventive
Protect logs from unauthorized activity. CC ID 01345 [System administrator and system operator activities should be logged and the logs protected and regularly reviewed. § 12.4.3 Control Logging facilities and log information should be protected against tampering and unauthorized access. § 12.4.2 Control]	Log Management	Preventive

Operational and Systems Continuity

100

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational and Systems Continuity CC ID 00731	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a business continuity program. CC ID 13210	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a continuity framework. CC ID 00732	Establish/Maintain Documentation	Preventive
Establish and maintain the scope of the continuity framework. CC ID 11908 [{scope} The organization should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. § 17.1.1 Control]	Establish/Maintain Documentation	Preventive
Identify all stakeholders critical to the continuity of operations. CC ID 12741	Systems Continuity	Detective
Include network security in the scope of the continuity framework. CC ID 16327	Establish/Maintain Documentation	Preventive
Explain any exclusions to the scope of the continuity framework. CC ID 12236	Establish/Maintain Documentation	Preventive
Refrain from including exclusions that could affect business continuity. CC ID 12740	Records Management	Preventive
Include the organization's business products and services in the scope of the continuity framework. CC ID 12235	Establish/Maintain Documentation	Preventive
Include business units in the scope of the continuity framework. CC ID 11898	Establish/Maintain Documentation	Preventive
Include business functions in the scope of the continuity framework. CC ID 12699	Establish/Maintain Documentation	Preventive
Include information security continuity in the scope of the continuity framework. CC ID 12009	Systems Continuity	Preventive
Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698	Systems Continuity	Preventive
Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752 [The organization should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. § 17.1.2 Control]	Establish/Maintain Documentation	Preventive
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373	Systems Continuity	Corrective
Identify all stakeholders in the continuity plan. CC ID 13256	Establish/Maintain Documentation	Preventive
Report changes in the continuity plan to senior management. CC ID 12757	Communicate	Corrective
Maintain normal security levels when an emergency occurs. CC ID 06377	Systems Continuity	Preventive
Execute fail-safe procedures when an emergency occurs. CC ID 07108	Systems Continuity	Preventive
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Human Resources Management	Preventive
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Establish/Maintain Documentation	Preventive
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993	Establish/Maintain Documentation	Preventive
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Human Resources Management	Preventive
Include the in scope system's location in the continuity plan. CC ID 16246	Systems Continuity	Preventive
Include the system description in the continuity plan. CC ID 16241	Systems Continuity	Preventive
Establish, implement, and maintain redundant systems. CC ID 16354	Configuration	Preventive
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Behavior	Preventive
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Establish/Maintain Documentation	Preventive
Include the continuity strategy in the continuity plan. CC ID 13189	Establish/Maintain Documentation	Preventive
Restore systems and environments to be operational. CC ID 13476	Systems Continuity	Corrective
Document and use the lessons learned to update the continuity plan. CC ID 10037	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254	Establish/Maintain Documentation	Preventive
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605	Technical Security	Preventive
Monitor and evaluate business continuity management system performance. CC ID 12410	Monitor and Evaluate Occurrences	Detective
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Process or Activity	Preventive
Record business continuity management system performance for posterity. CC ID 12411	Monitor and Evaluate Occurrences	Preventive
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Process or Activity	Preventive
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Establish/Maintain Documentation	Preventive
Include incident management procedures in the continuity plan. CC ID 13244	Establish/Maintain Documentation	Preventive
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Establish/Maintain Documentation	Preventive
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057	Establish/Maintain Documentation	Preventive
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Establish Roles	Preventive
Establish, implement, and maintain the continuity procedures. CC ID 14236	Establish/Maintain Documentation	Corrective
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Communicate	Preventive
Document the uninterrupted power requirements for all in scope systems. CC ID 06707	Establish/Maintain Documentation	Preventive
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725	Configuration	Preventive
Install a generator sized to support the facility. CC ID 06709	Configuration	Preventive
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Acquisition/Sale of Assets or Services	Preventive
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371	Establish/Maintain Documentation	Preventive
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Establish/Maintain Documentation	Preventive
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778	Systems Continuity	Preventive
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the organization's call tree. CC ID 01167	Testing	Detective
Establish, implement, and maintain damage assessment procedures. CC ID 01267	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Communicate	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Establish/Maintain Documentation	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Establish/Maintain Documentation	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Human Resources Management	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Establish/Maintain Documentation	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Establish/Maintain Documentation	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Establish/Maintain Documentation	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Establish/Maintain Documentation	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Establish/Maintain Documentation	Preventive
Determine the cause for the activation of the recovery plan. CC ID 13291	Investigate	Detective
Test the recovery plan, as necessary. CC ID 13290	Testing	Detective
Test the backup information, as necessary. CC ID 13303	Testing	Detective
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Establish/Maintain Documentation	Detective
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Communicate	Preventive
Include restoration procedures in the continuity plan. CC ID 01169	Establish Roles	Preventive
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166	Establish/Maintain Documentation	Preventive
Include the recovery plan in the continuity plan. CC ID 01377	Establish/Maintain Documentation	Preventive
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758	Communicate	Preventive
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Systems Continuity	Preventive
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663	Systems Continuity	Preventive
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664	Systems Continuity	Preventive
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665	Systems Continuity	Corrective
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Establish/Maintain Documentation	Preventive
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy. § 12.3.1 Control]	Systems Continuity	Preventive
Determine which data elements to back up. CC ID 13483	Data and Information Management	Detective
Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384	Systems Continuity	Preventive
Establish and maintain off-site electronic media storage facilities. CC ID 00957	Physical and Environmental Protection	Preventive
Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390	Testing	Detective
Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392	Configuration	Preventive
Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393	Establish/Maintain Documentation	Preventive
Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573	Systems Continuity	Detective
Store backup media at an off-site electronic media storage facility. CC ID 01332	Data and Information Management	Preventive
Transport backup media in lockable electronic media storage containers. CC ID 01264	Data and Information Management	Preventive
Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289	Systems Continuity	Preventive
Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257	Data and Information Management	Preventive
Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765	Systems Continuity	Preventive
Establish, implement, and maintain security controls to protect offsite data. CC ID 16259	Data and Information Management	Preventive
Perform backup procedures for in scope systems. CC ID 11692	Process or Activity	Preventive
Test backup media for media integrity and information integrity, as necessary. CC ID 01401 [Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy. § 12.3.1 Control]	Testing	Detective
Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375	Testing	Detective
Validate information security continuity controls regularly. CC ID 12008 [The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. § 17.1.3 Control]	Systems Continuity	Preventive

Operational management

384

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a capacity management plan. CC ID 11751	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617 [The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. § 12.1.3 Control]	Business Processes	Preventive
Align critical Information Technology resource availability planning with capacity planning. CC ID 01618	Business Processes	Preventive
LImit any effects of a Denial of Service attack. CC ID 06754 [Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. § 17.2.1 Control]	Technical Security	Preventive
Implement network redundancy, as necessary. CC ID 13048	Systems Continuity	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820	Establish/Maintain Documentation	Preventive
Measure policy compliance when reviewing the internal control framework. CC ID 06442 [{security standards} Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. § 18.2.2 Control {security standards} Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. § 18.2.2 Control]	Actionable Reports or Measurements	Corrective
Include security information sharing procedures in the internal control framework. CC ID 06489	Establish/Maintain Documentation	Preventive
Share relevant security information with Special Interest Groups, as necessary. CC ID 11732 [Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained. § 6.1.4 Control]	Communicate	Preventive
Include security incident response procedures in the internal control framework. CC ID 01359 [{management procedures} Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents. § 16.1.1 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control The policies for information security should be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. § 5.1.2 Control]	Establish/Maintain Documentation	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Business Processes	Preventive
Include business processes in the information security policy. CC ID 16326	Establish/Maintain Documentation	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Establish/Maintain Documentation	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Establish/Maintain Documentation	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Establish/Maintain Documentation	Preventive
Include information security objectives in the information security policy. CC ID 13493	Establish/Maintain Documentation	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Business Processes	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Communicate	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737 [A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control]	Process or Activity	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814	Establish Roles	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [All information security responsibilities should be defined and allocated. § 6.1.1 Control All information security responsibilities should be defined and allocated. § 6.1.1 Control]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control]	Communicate	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [Operating procedures should be documented and made available to all users who need them. § 12.1.1 Control]	Establish/Maintain Documentation	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Process or Activity	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Establish/Maintain Documentation	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Establish/Maintain Documentation	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Establish/Maintain Documentation	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Establish/Maintain Documentation	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Establish/Maintain Documentation	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Establish/Maintain Documentation	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Establish/Maintain Documentation	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Establish/Maintain Documentation	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Establish/Maintain Documentation	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Establish/Maintain Documentation	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Establish/Maintain Documentation	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Establish/Maintain Documentation	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Records Management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Business Processes	Preventive
Provide support for information sharing activities. CC ID 15644	Process or Activity	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Business Processes	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Establish/Maintain Documentation	Corrective
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 [Operating procedures should be documented and made available to all users who need them. § 12.1.1 Control]	Communicate	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented. § 8.1.3 Control]	Establish/Maintain Documentation	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Establish/Maintain Documentation	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Establish/Maintain Documentation	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Establish/Maintain Documentation	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Establish/Maintain Documentation	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Establish/Maintain Documentation	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Establish/Maintain Documentation	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy CC ID 15699	Establish/Maintain Documentation	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355 [Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented. § 8.1.3 Control]	Establish/Maintain Documentation	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Establish/Maintain Documentation	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Establish/Maintain Documentation	Preventive
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Technical Security	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Establish/Maintain Documentation	Preventive
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Data and Information Management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Establish/Maintain Documentation	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Establish/Maintain Documentation	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Establish/Maintain Documentation	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Establish/Maintain Documentation	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Establish/Maintain Documentation	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Establish/Maintain Documentation	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 [Procedures should be implemented to control the installation of software on operational systems. § 12.5.1 Control Rules governing the installation of software by users should be established and implemented. § 12.6.2 Control]	Establish/Maintain Documentation	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Communicate	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. § 18.1.2 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [{confidentiality agreements} {identified and documented} Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented. § 13.2.4 Control {confidentiality agreements} {identified and documented} Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented. § 13.2.4 Control]	Establish/Maintain Documentation	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Communicate	Preventive
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Business Processes	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004 [{information security standard} Information systems should be regularly reviewed for compliance with the organization’s information security policies and standards. § 18.2.3 Control]	Business Processes	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630 [Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organization. § 8.2.3 Control]	Business Processes	Preventive
Establish, implement, and maintain an asset management policy. CC ID 15219	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the asset management policy. CC ID 16424	Business Processes	Preventive
Assign an information owner to organizational assets, as necessary. CC ID 12729	Human Resources Management	Preventive
Include life cycle requirements in the security management program. CC ID 16392	Establish/Maintain Documentation	Preventive
Include life cycle requirements in the security management program. CC ID 16391	Establish/Maintain Documentation	Preventive
Include program objectives in the asset management program. CC ID 14413	Establish/Maintain Documentation	Preventive
Include a commitment to continual improvement in the asset management program. CC ID 14412	Establish/Maintain Documentation	Preventive
Include compliance with applicable requirements in the asset management program. CC ID 14411	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain administrative controls over all assets. CC ID 16400	Business Processes	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Establish/Maintain Documentation	Preventive
Apply security controls to each level of the information classification standard. CC ID 01903	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904	Establish/Maintain Documentation	Preventive
Define confidentiality controls. CC ID 01908	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the systems' availability level. CC ID 01905	Establish/Maintain Documentation	Preventive
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742	Process or Activity	Preventive
Define integrity controls. CC ID 01909	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906	Establish/Maintain Documentation	Preventive
Define availability controls. CC ID 01911	Establish/Maintain Documentation	Preventive
Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an asset safety classification scheme. CC ID 06604	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the Asset Classification Policy. CC ID 06642	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851	Communicate	Preventive
Classify assets according to the Asset Classification Policy. CC ID 07186	Establish Roles	Preventive
Classify virtual systems by type and purpose. CC ID 16332	Business Processes	Preventive
Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185	Establish/Maintain Documentation	Preventive
Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184	Establish Roles	Preventive
Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606	Configuration	Preventive
Assign decomposed system components the same asset classification as the originating system. CC ID 06605	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an asset inventory. CC ID 06631	Business Processes	Preventive
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 [Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. § 8.1.1 Control]	Establish/Maintain Documentation	Preventive
Include all account types in the Information Technology inventory. CC ID 13311	Establish/Maintain Documentation	Preventive
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Systems Design, Build, and Implementation	Preventive
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Data and Information Management	Preventive
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Establish/Maintain Documentation	Preventive
Categorize all major applications according to the business information they process. CC ID 07182	Establish/Maintain Documentation	Preventive
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Establish/Maintain Documentation	Preventive
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Establish/Maintain Documentation	Preventive
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Establish/Maintain Documentation	Preventive
Conduct environmental surveys. CC ID 00690	Physical and Environmental Protection	Preventive
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Establish/Maintain Documentation	Preventive
Include network equipment in the Information Technology inventory. CC ID 00693	Establish/Maintain Documentation	Preventive
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Establish/Maintain Documentation	Preventive
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Process or Activity	Preventive
Include software in the Information Technology inventory. CC ID 00692	Establish/Maintain Documentation	Preventive
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a storage media inventory. CC ID 00694	Establish/Maintain Documentation	Preventive
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Establish/Maintain Documentation	Preventive
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Establish/Maintain Documentation	Preventive
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Monitor and Evaluate Occurrences	Corrective
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Monitor and Evaluate Occurrences	Corrective
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181	Establish/Maintain Documentation	Preventive
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Technical Security	Preventive
Link the authentication system to the asset inventory. CC ID 13718	Technical Security	Preventive
Record a unique name for each asset in the asset inventory. CC ID 16305	Data and Information Management	Preventive
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Establish/Maintain Documentation	Preventive
Record the status of information systems in the asset inventory. CC ID 16304	Data and Information Management	Preventive
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Data and Information Management	Preventive
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Establish/Maintain Documentation	Preventive
Include source code in the asset inventory. CC ID 14858	Records Management	Preventive
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344	Human Resources Management	Preventive
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Technical Security	Detective
Record the review date for applicable assets in the asset inventory. CC ID 14919	Establish/Maintain Documentation	Preventive
Record software license information for each asset in the asset inventory. CC ID 11736	Data and Information Management	Preventive
Record services for applicable assets in the asset inventory. CC ID 13733	Establish/Maintain Documentation	Preventive
Record protocols for applicable assets in the asset inventory. CC ID 13734	Establish/Maintain Documentation	Preventive
Record the software version in the asset inventory. CC ID 12196	Establish/Maintain Documentation	Preventive
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Establish/Maintain Documentation	Preventive
Record the authentication system in the asset inventory. CC ID 13724	Establish/Maintain Documentation	Preventive
Tag unsupported assets in the asset inventory. CC ID 13723	Establish/Maintain Documentation	Preventive
Record the install date for applicable assets in the asset inventory. CC ID 13720	Establish/Maintain Documentation	Preventive
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Establish/Maintain Documentation	Preventive
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Establish/Maintain Documentation	Preventive
Record the host name of applicable assets in the asset inventory. CC ID 13722	Establish/Maintain Documentation	Preventive
Record network ports for applicable assets in the asset inventory. CC ID 13730	Establish/Maintain Documentation	Preventive
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Establish/Maintain Documentation	Preventive
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Data and Information Management	Preventive
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Establish/Maintain Documentation	Preventive
Record rooms at external locations in the asset inventory. CC ID 16302	Data and Information Management	Preventive
Record the department associated with the asset in the asset inventory. CC ID 12084	Establish/Maintain Documentation	Preventive
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Establish/Maintain Documentation	Preventive
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Establish/Maintain Documentation	Preventive
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Establish/Maintain Documentation	Preventive
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Establish/Maintain Documentation	Preventive
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Establish/Maintain Documentation	Preventive
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Establish/Maintain Documentation	Preventive
Record trusted keys and certificates in the asset inventory. CC ID 15486	Data and Information Management	Preventive
Record cipher suites and protocols in the asset inventory. CC ID 15489	Data and Information Management	Preventive
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Establish/Maintain Documentation	Preventive
Record the owner for applicable assets in the asset inventory. CC ID 06640 [Assets maintained in the inventory should be owned. § 8.1.2 Control]	Establish/Maintain Documentation	Preventive
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Establish/Maintain Documentation	Preventive
Record all changes to assets in the asset inventory. CC ID 12190	Establish/Maintain Documentation	Preventive
Record cloud service derived data in the asset inventory. CC ID 13007	Establish/Maintain Documentation	Preventive
Include cloud service customer data in the asset inventory. CC ID 13006	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a software accountability policy. CC ID 00868	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software asset management procedures. CC ID 00895	Establish/Maintain Documentation	Preventive
Prevent users from disabling required software. CC ID 16417	Technical Security	Preventive
Establish, implement, and maintain software archives procedures. CC ID 00866	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software distribution procedures. CC ID 00894	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software documentation management procedures. CC ID 06395	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software license management procedures. CC ID 06639 [Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. § 18.1.2 Control]	Establish/Maintain Documentation	Preventive
Automate software license monitoring, as necessary. CC ID 07057	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a system redeployment program. CC ID 06276	Establish/Maintain Documentation	Preventive
Test systems for malicious code prior to when the system will be redeployed. CC ID 06339	Testing	Detective
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400	Behavior	Preventive
Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401	Data and Information Management	Preventive
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698	Acquisition/Sale of Assets or Services	Preventive
Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937	Establish/Maintain Documentation	Preventive
Redeploy systems to other organizational units, as necessary. CC ID 11452	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system disposal program. CC ID 14431	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain disposal procedures. CC ID 16513	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain asset sanitization procedures. CC ID 16511	Establish/Maintain Documentation	Preventive
Destroy systems in accordance with the system disposal program. CC ID 16457	Business Processes	Preventive
Approve the release of systems and waste material into the public domain. CC ID 16461	Business Processes	Preventive
Establish, implement, and maintain system destruction procedures. CC ID 16474	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [Equipment should be correctly maintained to ensure its continued availability and integrity. § 11.2.4 Control]	Establish/Maintain Documentation	Preventive
Establish and maintain maintenance reports. CC ID 11749	Establish/Maintain Documentation	Preventive
Establish and maintain system inspection reports. CC ID 06346	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system maintenance policy. CC ID 14032	Establish/Maintain Documentation	Preventive
Include compliance requirements in the system maintenance policy. CC ID 14217	Establish/Maintain Documentation	Preventive
Include management commitment in the system maintenance policy. CC ID 14216	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the system maintenance policy. CC ID 14215	Establish/Maintain Documentation	Preventive
Include the scope in the system maintenance policy. CC ID 14214	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213	Communicate	Preventive
Include the purpose in the system maintenance policy. CC ID 14187	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the system maintenance policy. CC ID 14181	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain system maintenance procedures. CC ID 14059	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194	Communicate	Preventive
Establish, implement, and maintain a technology refresh plan. CC ID 13061	Establish/Maintain Documentation	Preventive
Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389	Physical and Environmental Protection	Preventive
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388	Behavior	Preventive
Use system components only when third party support is available. CC ID 10644	Maintenance	Preventive
Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645	Maintenance	Preventive
Control and monitor all maintenance tools. CC ID 01432	Physical and Environmental Protection	Detective
Obtain approval before removing maintenance tools from the facility. CC ID 14298	Business Processes	Preventive
Control remote maintenance according to the system's asset classification. CC ID 01433	Technical Security	Preventive
Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614	Configuration	Preventive
Approve all remote maintenance sessions. CC ID 10615	Technical Security	Preventive
Log the performance of all remote maintenance. CC ID 13202	Log Management	Preventive
Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083	Technical Security	Preventive
Conduct offsite maintenance in authorized facilities. CC ID 16473	Maintenance	Preventive
Conduct maintenance with authorized personnel. CC ID 01434	Testing	Detective
Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295	Maintenance	Preventive
Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291	Maintenance	Preventive
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878	Behavior	Preventive
Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202	Establish/Maintain Documentation	Preventive
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833	Acquisition/Sale of Assets or Services	Preventive
Perform periodic maintenance according to organizational standards. CC ID 01435	Behavior	Preventive
Restart systems on a periodic basis. CC ID 16498	Maintenance	Preventive
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Maintenance	Preventive
Employ dedicated systems during system maintenance. CC ID 12108	Technical Security	Preventive
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114	Technical Security	Preventive
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Human Resources Management	Preventive
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874	Physical and Environmental Protection	Preventive
Calibrate assets according to the calibration procedures for the asset. CC ID 06203	Testing	Detective
Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204	Establish/Maintain Documentation	Preventive
Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616	Process or Activity	Preventive
Refrain from protecting physical assets when no longer required. CC ID 13484	Physical and Environmental Protection	Corrective
Disassemble and shut down unnecessary systems or unused systems. CC ID 06280	Business Processes	Preventive
Dispose of hardware and software at their life cycle end. CC ID 06278	Business Processes	Preventive
Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200	Business Processes	Preventive
Establish, implement, and maintain disposal contracts. CC ID 12199	Establish/Maintain Documentation	Preventive
Include disposal procedures in disposal contracts. CC ID 13905	Establish/Maintain Documentation	Preventive
Remove asset tags prior to disposal of an asset. CC ID 12198	Business Processes	Preventive
Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936	Establish/Maintain Documentation	Preventive
Test for detrimental environmental factors after a system is disposed. CC ID 06938	Testing	Detective
Review each system's operational readiness. CC ID 06275	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a data stewardship policy. CC ID 06657	Establish/Maintain Documentation	Preventive
Establish and maintain an unauthorized software list. CC ID 10601	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Business Processes	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Establish/Maintain Documentation	Preventive
Categorize the incident following an incident response. CC ID 13208	Technical Security	Preventive
Determine the incident severity level when assessing the security incidents. CC ID 01650 [Information security events should be assessed and it should be decided if they are to be classified as information security incidents. § 16.1.4 Control]	Monitor and Evaluate Occurrences	Corrective
Assess all incidents to determine what information was accessed. CC ID 01226 [Information security events should be assessed and it should be decided if they are to be classified as information security incidents. § 16.1.4 Control]	Testing	Corrective
Check the precursors and indicators when assessing the security incidents. CC ID 01761	Monitor and Evaluate Occurrences	Corrective
Analyze security violations in Suspicious Activity Reports. CC ID 00591	Establish/Maintain Documentation	Preventive
Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234 [{information security incidents} Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents. § 16.1.6 Control]	Monitor and Evaluate Occurrences	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772 [Information security events should be reported through appropriate management channels as quickly as possible. § 16.1.2 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142	Communicate	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Establish/Maintain Documentation	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Establish/Maintain Documentation	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{management procedures} Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents. § 16.1.1 Control]	Establish Roles	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Establish Roles	Preventive
Open a priority incident request after a security breach is detected. CC ID 04838	Testing	Corrective
Activate the incident response notification procedures after a security breach is detected. CC ID 04839	Testing	Corrective
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788	Communicate	Corrective
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878	Establish Roles	Preventive
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879	Establish Roles	Preventive
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880	Establish Roles	Preventive
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881	Establish Roles	Preventive
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882	Establish Roles	Preventive
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883	Establish Roles	Preventive
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884	Establish Roles	Preventive
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885	Establish Roles	Preventive
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886	Establish Roles	Preventive
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887	Human Resources Management	Preventive
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886	Investigate	Detective
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473	Establish/Maintain Documentation	Preventive
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474	Communicate	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206 [Information security incidents should be responded to in accordance with the documented procedures. § 16.1.5 Control]	Establish/Maintain Documentation	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Establish/Maintain Documentation	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Establish/Maintain Documentation	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Technical Security	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Technical Security	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Technical Security	Corrective
Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 [Appropriate contacts with relevant authorities should be maintained. § 6.1.3 Control]	Behavior	Preventive
Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652	Establish/Maintain Documentation	Preventive
Define the business scenarios that require digital forensic evidence. CC ID 08653	Establish/Maintain Documentation	Preventive
Define the circumstances for collecting digital forensic evidence. CC ID 08657 [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]	Establish/Maintain Documentation	Preventive
Conduct forensic investigations in the event of a security compromise. CC ID 11951	Investigate	Corrective
Identify potential sources of digital forensic evidence. CC ID 08651 [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]	Investigate	Preventive
Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]	Records Management	Preventive
Establish, implement, and maintain a performance management standard. CC ID 01615	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain rate limiting filters. CC ID 06883	Business Processes	Preventive
Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619 [The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. § 12.1.3 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839	Establish/Maintain Documentation	Preventive
Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 [Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. § 13.1.2 Control]	Establish/Maintain Documentation	Preventive
Include the management requirements for network services in the Service Level Agreement. CC ID 12025 [Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. § 13.1.2 Control]	Establish/Maintain Documentation	Preventive
Include the service levels for network services in the Service Level Agreement. CC ID 12024 [Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. § 13.1.2 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a change control program. CC ID 00886 [Changes to the organization, business processes, information processing facilities and systems that affect information security should be controlled. § 12.1.2 Control Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures. § 14.2.2 Control]	Establish/Maintain Documentation	Preventive
Include potential consequences of unintended changes in the change control program. CC ID 12243	Establish/Maintain Documentation	Preventive
Include version control in the change control program. CC ID 13119	Establish/Maintain Documentation	Preventive
Include service design and transition in the change control program. CC ID 13920	Establish/Maintain Documentation	Preventive
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Maintenance	Preventive
Integrate configuration management procedures into the change control program. CC ID 13646	Technical Security	Preventive
Establish, implement, and maintain a back-out plan. CC ID 13623	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Establish/Maintain Documentation	Preventive
Approve back-out plans, as necessary. CC ID 13627	Establish/Maintain Documentation	Corrective
Manage change requests. CC ID 00887 [Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. § 14.2.4 Control]	Business Processes	Preventive
Include documentation of the impact level of proposed changes in the change request. CC ID 11942	Establish/Maintain Documentation	Preventive
Establish and maintain a change request approver list. CC ID 06795	Establish/Maintain Documentation	Preventive
Document all change requests in change request forms. CC ID 06794	Establish/Maintain Documentation	Preventive
Test proposed changes prior to their approval. CC ID 00548	Testing	Detective
Examine all changes to ensure they correspond with the change request. CC ID 12345 [Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. § 14.2.4 Control]	Business Processes	Detective
Approve tested change requests. CC ID 11783	Data and Information Management	Preventive
Validate the system before implementing approved changes. CC ID 01510 [When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security. § 14.2.3 Control]	Systems Design, Build, and Implementation	Preventive
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807	Behavior	Preventive
Establish, implement, and maintain emergency change procedures. CC ID 00890	Establish/Maintain Documentation	Preventive
Perform emergency changes, as necessary. CC ID 12707	Process or Activity	Preventive
Back up emergency changes after the change has been performed. CC ID 12734	Process or Activity	Preventive
Log emergency changes after they have been performed. CC ID 12733	Establish/Maintain Documentation	Preventive
Perform risk assessments prior to approving change requests. CC ID 00888	Testing	Preventive
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Process or Activity	Detective
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Investigate	Detective
Collect data about the network environment when certifying the network. CC ID 13125	Investigate	Detective
Implement changes according to the change control program. CC ID 11776	Business Processes	Preventive
Provide audit trails for all approved changes. CC ID 13120	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch management program. CC ID 00896	Process or Activity	Preventive
Document the sources of all software updates. CC ID 13316	Establish/Maintain Documentation	Preventive
Implement patch management software, as necessary. CC ID 12094	Technical Security	Preventive
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Technical Security	Preventive
Establish, implement, and maintain a patch management policy. CC ID 16432	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain patch management procedures. CC ID 15224	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch log. CC ID 01642	Establish/Maintain Documentation	Preventive
Review the patch log for missing patches. CC ID 13186	Technical Security	Detective
Perform a patch test prior to deploying a patch. CC ID 00898	Testing	Detective
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Business Processes	Preventive
Deploy software patches in accordance with organizational standards. CC ID 07032	Configuration	Corrective
Test software patches for any potential compromise of the system's security. CC ID 13175	Testing	Detective
Patch software. CC ID 11825	Technical Security	Corrective
Patch the operating system, as necessary. CC ID 11824	Technical Security	Corrective
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Configuration	Corrective
Remove outdated software after software has been updated. CC ID 11792	Configuration	Corrective
Update computer firmware, as necessary. CC ID 11755	Configuration	Corrective
Review changes to computer firmware. CC ID 12226	Testing	Detective
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Testing	Detective
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Configuration	Corrective
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Technical Security	Detective
Establish, implement, and maintain a software release policy. CC ID 00893	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388	Systems Design, Build, and Implementation	Preventive
Disseminate and communicate software update information to users and regulators. CC ID 06602	Behavior	Preventive
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Data and Information Management	Preventive
Mitigate the adverse effects of unauthorized changes. CC ID 12244	Business Processes	Corrective
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Establish/Maintain Documentation	Detective
Test the system's operational functionality after implementing approved changes. CC ID 06294	Testing	Detective
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 [Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions. § 14.2.9 Control]	Testing	Detective
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Establish/Maintain Documentation	Corrective
Update associated documentation after the system configuration has been changed. CC ID 00891	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a configuration change log. CC ID 08710	Configuration	Detective
Document approved configuration deviations. CC ID 08711	Establish/Maintain Documentation	Corrective
Document the organization's local environments. CC ID 06726 [To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. § 5.1 Objective To establish a management framework to initiate and control the implementation and operation of information security within the organization. § 6.1 Objective To ensure the security of teleworking and use of mobile devices. § 6.2 Objective To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. § 7.1 Objective To ensure that employees and contractors are aware of and fulfill their information security responsibilities. § 7.2 Objective To protect the organization’s interests as part of the process of changing or terminating employment. § 7.3 Objective To identify organizational assets and define appropriate protection responsibilities. § 8.1 Objective To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. § 8.3 Objective To limit access to information and information processing facilities. § 9.1 Objective To ensure authorized user access and to prevent unauthorized access to systems and services. § 9.2 Objective To make users accountable for safeguarding their authentication information. § 9.3 Objective To prevent unauthorized access to systems and applications. § 9.4 Objective To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. § 10.1 Objective To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. § 11.1 Objective To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. § 11.2 Objective To ensure correct and secure operations of information processing facilities. § 12.1 Objective To ensure that information and information processing facilities are protected against malware. § 12.2 Objective To protect against loss of data. § 12.3 Objective To record events and generate evidence. § 12.4 Objective To ensure the integrity of operational systems. § 12.5 Objective To prevent exploitation of technical vulnerabilities. § 12.6 Objective To minimise the impact of audit activities on operational systems. § 12.7 Objective To ensure the protection of information in networks and its supporting information processing facilities. § 13.1 Objective To maintain the security of information transferred within an organization and with any external entity. § 13.2 Objective To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. § 14.1 Objective To ensure that information security is designed and implemented within the development lifecycle of information systems. § 14.2 Objective To ensure protection of the organization’s assets that is accessible by suppliers. § 15.1 Objective To maintain an agreed level of information security and service delivery in line with supplier agreements. § 15.2 Objective To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. § 16.1 Objective Information security continuity should be embedded in the organization’s business continuity management systems. § 17.1 Objective To ensure availability of information processing facilities. § 17.2 Objective To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. § 18.1 Objective To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. § 18.2 Objective To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. § 8.2 Objective To ensure the protection of data used for testing. § 14.3 Objective]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain local environment security profiles. CC ID 07037	Establish/Maintain Documentation	Preventive
Include individuals assigned to the local environment in the local environment security profile. CC ID 07038	Establish/Maintain Documentation	Preventive
Include security requirements in the local environment security profile. CC ID 15717	Establish/Maintain Documentation	Preventive
Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039	Establish/Maintain Documentation	Preventive
Include the technology used in the local environment in the local environment security profile. CC ID 07040	Establish/Maintain Documentation	Preventive
Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041	Establish/Maintain Documentation	Preventive
Include facility information for the local environment in the local environment security profile. CC ID 07042	Establish/Maintain Documentation	Preventive
Include facility access information for the local environment in the local environment security profile. CC ID 11773	Establish/Maintain Documentation	Preventive
Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716	Communicate	Preventive
Update the local environment security profile, as necessary. CC ID 07043	Establish/Maintain Documentation	Preventive

Physical and environmental protection

239

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Physical and environmental protection CC ID 00709	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a physical security program. CC ID 11757	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an anti-tamper protection program. CC ID 10638	Monitor and Evaluate Occurrences	Detective
Protect assets from tampering or unapproved substitution. CC ID 11902 [Logging facilities and log information should be protected against tampering and unauthorized access. § 12.4.2 Control]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a facility physical security program. CC ID 00711 [Physical security for offices, rooms and facilities should be designed and applied. § 11.1.3 Control]	Establish/Maintain Documentation	Preventive
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Establish/Maintain Documentation	Preventive
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Behavior	Preventive
Protect the facility from crime. CC ID 06347	Physical and Environmental Protection	Preventive
Define communication methods for reporting crimes. CC ID 06349	Establish/Maintain Documentation	Preventive
Include identification cards or badges in the physical security program. CC ID 14818	Establish/Maintain Documentation	Preventive
Protect facilities from eavesdropping. CC ID 02222	Physical and Environmental Protection	Preventive
Inspect telephones for eavesdropping devices. CC ID 02223	Physical and Environmental Protection	Detective
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Technical Security	Preventive
Establish, implement, and maintain security procedures for virtual meetings CC ID 15581	Establish/Maintain Documentation	Preventive
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440	Physical and Environmental Protection	Preventive
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441	Physical and Environmental Protection	Preventive
Create security zones in facilities, as necessary. CC ID 16295	Physical and Environmental Protection	Preventive
Establish clear zones around any sensitive facilities. CC ID 02214	Physical and Environmental Protection	Preventive
Establish, implement, and maintain floor plans. CC ID 16419	Establish/Maintain Documentation	Preventive
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Establish/Maintain Documentation	Preventive
Post floor plans of critical facilities in secure locations. CC ID 16138	Communicate	Preventive
Post and maintain security signage for all facilities. CC ID 02201	Establish/Maintain Documentation	Preventive
Inspect items brought into the facility. CC ID 06341	Physical and Environmental Protection	Preventive
Maintain all physical security systems. CC ID 02206	Physical and Environmental Protection	Preventive
Detect anomalies in physical barriers. CC ID 13533	Investigate	Detective
Maintain all security alarm systems. CC ID 11669	Physical and Environmental Protection	Preventive
Identify and document physical access controls for all physical entry points. CC ID 01637 [Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.2 Control]	Establish/Maintain Documentation	Preventive
Control physical access to (and within) the facility. CC ID 01329	Physical and Environmental Protection	Preventive
Establish, implement, and maintain physical access procedures. CC ID 13629	Establish/Maintain Documentation	Preventive
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and Environmental Protection	Preventive
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and Environmental Protection	Detective
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Establish/Maintain Documentation	Preventive
Escort visitors within the facility, as necessary. CC ID 06417	Establish/Maintain Documentation	Preventive
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and Environmental Protection	Preventive
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Testing	Preventive
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Behavior	Preventive
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Establish/Maintain Documentation	Preventive
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Establish/Maintain Documentation	Preventive
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Establish/Maintain Documentation	Preventive
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and Environmental Protection	Corrective
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain physical identification procedures. CC ID 00713	Establish/Maintain Documentation	Preventive
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Human Resources Management	Preventive
Implement physical identification processes. CC ID 13715	Process or Activity	Preventive
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Process or Activity	Preventive
Issue photo identification badges to all employees. CC ID 12326	Physical and Environmental Protection	Preventive
Implement operational requirements for card readers. CC ID 02225	Testing	Preventive
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Establish/Maintain Documentation	Preventive
Document all lost badges in a lost badge list. CC ID 12448	Establish/Maintain Documentation	Corrective
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and Environmental Protection	Preventive
Manage constituent identification inside the facility. CC ID 02215	Behavior	Preventive
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Human Resources Management	Preventive
Manage visitor identification inside the facility. CC ID 11670	Physical and Environmental Protection	Preventive
Issue visitor identification badges to all non-employees. CC ID 00543	Behavior	Preventive
Secure unissued visitor identification badges. CC ID 06712	Physical and Environmental Protection	Preventive
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Behavior	Preventive
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and Environmental Protection	Preventive
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Establish/Maintain Documentation	Preventive
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Process or Activity	Preventive
Include error handling controls in identification issuance procedures. CC ID 13709	Establish/Maintain Documentation	Preventive
Include an appeal process in the identification issuance procedures. CC ID 15428	Business Processes	Preventive
Include information security in the identification issuance procedures. CC ID 15425	Establish/Maintain Documentation	Preventive
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Process or Activity	Preventive
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Establish/Maintain Documentation	Preventive
Include an identity registration process in the identification issuance procedures. CC ID 11671	Establish/Maintain Documentation	Preventive
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and Environmental Protection	Preventive
Enforce dual control for badge assignments. CC ID 12328	Physical and Environmental Protection	Preventive
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and Environmental Protection	Preventive
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and Environmental Protection	Preventive
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Establish/Maintain Documentation	Preventive
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Human Resources Management	Preventive
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Establish/Maintain Documentation	Preventive
Prevent tailgating through physical entry points. CC ID 06685	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a door security standard. CC ID 06686	Establish/Maintain Documentation	Preventive
Install doors so that exposed hinges are on the secured side. CC ID 06687	Configuration	Preventive
Install emergency doors to permit egress only. CC ID 06688	Configuration	Preventive
Install contact alarms on doors, as necessary. CC ID 06710	Configuration	Preventive
Use locks to protect against unauthorized physical access. CC ID 06342	Physical and Environmental Protection	Preventive
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650	Configuration	Preventive
Test locks for physical security vulnerabilities. CC ID 04880	Testing	Detective
Secure unissued access mechanisms. CC ID 06713	Technical Security	Preventive
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748	Establish/Maintain Documentation	Preventive
Change cipher lock codes, as necessary. CC ID 06651	Technical Security	Preventive
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a window security standard. CC ID 06689	Establish/Maintain Documentation	Preventive
Install contact alarms on openable windows, as necessary. CC ID 06690	Configuration	Preventive
Install glass break alarms on windows, as necessary. CC ID 06691	Configuration	Preventive
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204	Establish/Maintain Documentation	Preventive
Install and maintain security lighting at all physical entry points. CC ID 02205	Physical and Environmental Protection	Preventive
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and Environmental Protection	Preventive
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 [{delivery area} Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. § 11.1.6 Control]	Physical and Environmental Protection	Preventive
Secure the loading dock with physical access controls or security guards. CC ID 06703	Physical and Environmental Protection	Preventive
Isolate loading areas from information processing facilities, if possible. CC ID 12028 [{delivery area} Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. § 11.1.6 Control]	Physical and Environmental Protection	Preventive
Screen incoming mail and deliveries. CC ID 06719	Physical and Environmental Protection	Preventive
Protect access to the facility's mechanical systems area. CC ID 02212	Physical and Environmental Protection	Preventive
Establish, implement, and maintain elevator security guidelines. CC ID 02232	Physical and Environmental Protection	Preventive
Establish, implement, and maintain stairwell security guidelines. CC ID 02233	Physical and Environmental Protection	Preventive
Establish, implement, and maintain glass opening security guidelines. CC ID 02234	Physical and Environmental Protection	Preventive
Establish, implement, and maintain after hours facility access procedures. CC ID 06340	Establish/Maintain Documentation	Preventive
Establish a security room, if necessary. CC ID 00738	Physical and Environmental Protection	Preventive
Implement physical security standards for mainframe rooms or data centers. CC ID 00749	Physical and Environmental Protection	Preventive
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and Environmental Protection	Preventive
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and Environmental Protection	Preventive
Lock all lockable equipment cabinets. CC ID 11673	Physical and Environmental Protection	Detective
Establish, implement, and maintain vault physical security standards. CC ID 02203	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 [Procedures for working in secure areas should be designed and applied. § 11.1.5 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain emergency exit procedures. CC ID 01252	Establish/Maintain Documentation	Preventive
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Establish/Maintain Documentation	Preventive
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Communicate	Preventive
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638	Monitor and Evaluate Occurrences	Detective
Establish and maintain a visitor log. CC ID 00715	Log Management	Preventive
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Investigate	Detective
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700	Establish/Maintain Documentation	Preventive
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649	Behavior	Preventive
Record the visitor's name in the visitor log. CC ID 00557	Log Management	Preventive
Record the visitor's organization in the visitor log. CC ID 12121	Log Management	Preventive
Record the visitor's acceptable access areas in the visitor log. CC ID 12237	Log Management	Preventive
Record the date and time of entry in the visitor log. CC ID 13255	Establish/Maintain Documentation	Preventive
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466	Establish/Maintain Documentation	Preventive
Retain all records in the visitor log as prescribed by law. CC ID 00572	Log Management	Preventive
Establish, implement, and maintain a physical access log. CC ID 12080	Establish/Maintain Documentation	Preventive
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641	Log Management	Preventive
Log when the vault is accessed. CC ID 06725	Log Management	Detective
Log when the cabinet is accessed. CC ID 11674	Log Management	Detective
Store facility access logs in off-site storage. CC ID 06958	Log Management	Preventive
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Monitor and Evaluate Occurrences	Preventive
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328	Monitor and Evaluate Occurrences	Detective
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609	Monitor and Evaluate Occurrences	Detective
Configure video cameras to cover all physical entry points. CC ID 06302	Configuration	Preventive
Configure video cameras to prevent physical tampering or disablement. CC ID 06303	Configuration	Preventive
Retain video events according to Records Management procedures. CC ID 06304	Records Management	Preventive
Monitor physical entry point alarms. CC ID 01639	Physical and Environmental Protection	Detective
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677	Monitor and Evaluate Occurrences	Detective
Monitor for alarmed security doors being propped open. CC ID 06684	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain physical security threat reports. CC ID 02207	Establish/Maintain Documentation	Preventive
Build and maintain fencing, as necessary. CC ID 02235 [{sensitive information} Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. § 11.1.1 Control]	Physical and Environmental Protection	Preventive
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352	Physical and Environmental Protection	Preventive
Employ security guards to provide physical security, as necessary. CC ID 06653	Establish Roles	Preventive
Establish, implement, and maintain a facility wall standard. CC ID 06692	Establish/Maintain Documentation	Preventive
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372	Physical and Environmental Protection	Preventive
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693	Configuration	Preventive
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980	Behavior	Preventive
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981	Behavior	Preventive
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982	Business Processes	Preventive
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983	Behavior	Preventive
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984	Behavior	Preventive
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718	Physical and Environmental Protection	Preventive
Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [Media containing information should be protected against unauthorized access, misuse or corruption during transportation. § 8.3.3 Control]	Records Management	Preventive
Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321	Log Management	Preventive
Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258	Technical Security	Preventive
Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964	Records Management	Preventive
Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286	Physical and Environmental Protection	Preventive
Transport restricted media using a delivery method that can be tracked. CC ID 11777	Business Processes	Preventive
Track restricted storage media while it is in transit. CC ID 00967	Data and Information Management	Detective
Restrict physical access to distributed assets. CC ID 11865 [{environmental hazards} Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. § 11.2.1 Control]	Physical and Environmental Protection	Preventive
House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873	Physical and Environmental Protection	Preventive
Protect electronic storage media with physical access controls. CC ID 00720	Physical and Environmental Protection	Preventive
Protect distributed assets against theft. CC ID 06799	Physical and Environmental Protection	Preventive
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540	Establish/Maintain Documentation	Preventive
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 [Equipment, information or software should not be taken off-site without prior authorization. § 11.2.5 Control]	Process or Activity	Preventive
Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 [Security should be applied to off-site assets taking into account the different risks of working outside the organization’s premises. § 11.2.6 Control]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 [Users should ensure that unattended equipment has appropriate protection. § 11.2.8 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a locking screen saver policy. CC ID 06717	Establish/Maintain Documentation	Preventive
Encrypt information stored on devices in publicly accessible areas. CC ID 16410	Data and Information Management	Preventive
Secure workstations to desks with security cables. CC ID 04724	Physical and Environmental Protection	Preventive
Establish, implement, and maintain mobile device security guidelines. CC ID 04723 [A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices. § 6.2.1 Control A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices. § 6.2.1 Control]	Establish/Maintain Documentation	Preventive
Require users to refrain from leaving mobile devices unattended. CC ID 16446	Business Processes	Preventive
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242	Data and Information Management	Preventive
Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292	Establish/Maintain Documentation	Preventive
Include legal requirements in the mobile device security guidelines. CC ID 12291	Establish/Maintain Documentation	Preventive
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452	Physical and Environmental Protection	Preventive
Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290	Establish/Maintain Documentation	Preventive
Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289	Establish/Maintain Documentation	Preventive
Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288	Establish/Maintain Documentation	Preventive
Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430	Physical and Environmental Protection	Preventive
Refrain from pairing bluetooth devices in unsecured areas. CC ID 12429	Physical and Environmental Protection	Preventive
Encrypt information stored on mobile devices. CC ID 01422	Data and Information Management	Preventive
Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 [{sensitive information} Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. § 11.1.1 Control]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain asset return procedures. CC ID 04537	Establish/Maintain Documentation	Preventive
Require the return of all assets upon notification an individual is terminated. CC ID 06679 [{require} All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract or agreement. § 8.1.4 Control]	Behavior	Preventive
Establish, implement, and maintain a clean desk policy. CC ID 06534 [A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. § 11.2.9 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a clear screen policy. CC ID 12436 [A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. § 11.2.9 Control]	Technical Security	Preventive
Establish, implement, and maintain an environmental control program. CC ID 00724 [Physical protection against natural disasters, malicious attack or accidents should be designed and applied. § 11.1.4 Control]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain clean energy standards. CC ID 16285	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain environmental control procedures. CC ID 12246	Establish/Maintain Documentation	Preventive
Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708	Configuration	Preventive
Protect power equipment and power cabling from damage or destruction. CC ID 01438 [{power cabling} Power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference or damage. § 11.2.3 Control Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities. § 11.2.2 Control]	Physical and Environmental Protection	Preventive
Install and maintain power distribution boards. CC ID 16486	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a battery room, as necessary. CC ID 06706	Configuration	Preventive
Establish and maintain a generator room, as necessary. CC ID 06704	Configuration	Preventive
Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676	Physical and Environmental Protection	Preventive
Establish, implement, and maintain facility maintenance procedures. CC ID 00710	Establish/Maintain Documentation	Preventive
Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712	Physical and Environmental Protection	Preventive
Design the Information Technology facility with a low profile. CC ID 16140	Physical and Environmental Protection	Preventive
Prohibit signage indicating computer room location and uses. CC ID 06343	Physical and Environmental Protection	Preventive
Require critical facilities to have adequate room for facility maintenance. CC ID 06361	Physical and Environmental Protection	Preventive
Require critical facilities to have adequate room for evacuation. CC ID 11686	Physical and Environmental Protection	Preventive
Build critical facilities according to applicable building codes. CC ID 06366	Physical and Environmental Protection	Preventive
Build critical facilities with fire resistant materials. CC ID 06365	Physical and Environmental Protection	Preventive
Build critical facilities with materials that limit electromagnetic interference. CC ID 16131	Physical and Environmental Protection	Preventive
Build critical facilities with water-resistant materials. CC ID 11679	Physical and Environmental Protection	Preventive
Monitor operational conditions at unmanned facilities. CC ID 06327	Physical and Environmental Protection	Preventive
Remotely control operational conditions at unmanned facilities. CC ID 11680	Technical Security	Preventive
Inspect and maintain the facility and supporting assets. CC ID 06345	Physical and Environmental Protection	Preventive
Test and inspect assets under full load working conditions. CC ID 06356	Testing	Detective
Define selection criteria for facility locations. CC ID 06351	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain facility demolition procedures. CC ID 16133	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain work environment requirements. CC ID 06613	Establish/Maintain Documentation	Preventive
Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141	Physical and Environmental Protection	Preventive
Establish, implement, and maintain system cleanliness requirements. CC ID 06614	Establish/Maintain Documentation	Preventive
House system components in areas where the physical damage potential is minimized. CC ID 01623 [{environmental hazards} Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. § 11.2.1 Control]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695	Establish/Maintain Documentation	Preventive
Install and maintain fire protection equipment. CC ID 00728	Configuration	Preventive
Install and maintain fire suppression systems. CC ID 00729	Configuration	Preventive
Install and maintain smoke detectors. CC ID 15264	Physical and Environmental Protection	Preventive
Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888	Physical and Environmental Protection	Preventive
Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362	Physical and Environmental Protection	Preventive
Conduct fire drills, as necessary. CC ID 13985	Process or Activity	Preventive
Employ environmental protections. CC ID 12570	Process or Activity	Preventive
Monitor and review environmental protections. CC ID 12571	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472	Establish/Maintain Documentation	Preventive
Install and maintain seismic detectors in critical facilities. CC ID 06364	Physical and Environmental Protection	Detective
Protect physical assets against static electricity, as necessary. CC ID 06363	Physical and Environmental Protection	Preventive
Install and maintain emergency lighting for use in a power failure. CC ID 01440	Physical and Environmental Protection	Preventive
Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367	Physical and Environmental Protection	Preventive
Establish, implement, and maintain pest control systems in organizational facilities CC ID 16139	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727	Configuration	Preventive
Install and maintain an environment control monitoring system. CC ID 06370	Monitor and Evaluate Occurrences	Detective
Protect air intakes into the organizational facility. CC ID 02211	Physical and Environmental Protection	Preventive
Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368	Configuration	Preventive
Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369	Configuration	Preventive
Install and maintain a moisture control system as a part of the climate control system. CC ID 06694	Configuration	Preventive
Install and maintain hydrogen sensors, as necessary. CC ID 06705	Configuration	Preventive
Protect physical assets from water damage. CC ID 00730	Configuration	Preventive
Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252	Communicate	Preventive
Install and maintain water detection devices. CC ID 11678	Physical and Environmental Protection	Preventive

Privacy protection for information and data

976

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable. § 18.1.4 Control Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable. § 18.1.4 Control]	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Data and Information Management	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Establish/Maintain Documentation	Preventive
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Establish/Maintain Documentation	Preventive
Include contact information in the privacy notice. CC ID 14432	Establish/Maintain Documentation	Preventive
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503	Establish/Maintain Documentation	Preventive
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Establish/Maintain Documentation	Preventive
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Establish/Maintain Documentation	Preventive
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459	Establish/Maintain Documentation	Preventive
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455	Establish/Maintain Documentation	Preventive
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Establish/Maintain Documentation	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457	Establish/Maintain Documentation	Preventive
Include disclosure exceptions in the privacy notice. CC ID 13447	Establish/Maintain Documentation	Preventive
Include the types of personal data disclosed in the privacy notice. CC ID 13446	Establish/Maintain Documentation	Preventive
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Establish/Maintain Documentation	Preventive
Specify the time frame that notice will be given. CC ID 00385	Establish/Maintain Documentation	Preventive
Include the information about the appeal process in the privacy notice. CC ID 15312	Establish/Maintain Documentation	Preventive
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Establish/Maintain Documentation	Preventive
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445	Communicate	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444	Communicate	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Establish/Maintain Documentation	Preventive
Update privacy notices, as necessary. CC ID 13474	Communicate	Preventive
Redeliver privacy notices, as necessary. CC ID 14850	Communicate	Preventive
Deliver privacy notices to third parties, as necessary. CC ID 13473	Communicate	Preventive
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Communicate	Preventive
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Establish/Maintain Documentation	Corrective
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Establish/Maintain Documentation	Preventive
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Establish/Maintain Documentation	Preventive
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Establish/Maintain Documentation	Preventive
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448	Establish/Maintain Documentation	Preventive
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Establish/Maintain Documentation	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Establish/Maintain Documentation	Preventive
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Establish/Maintain Documentation	Preventive
Explain the right to opt out in the opt-out notice. CC ID 13462	Establish/Maintain Documentation	Preventive
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Establish/Maintain Documentation	Preventive
Deliver opt-out notices, as necessary. CC ID 13449	Communicate	Preventive
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Communicate	Preventive
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Communicate	Preventive
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Communicate	Preventive
Notify statutory authorities concerned with the privacy program of the cessation of the organization after being merged or acquired. CC ID 12391	Communicate	Preventive
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Communicate	Preventive
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Communicate	Preventive
Provide the data subject with a notice of participation procedures. CC ID 06241	Establish/Maintain Documentation	Preventive
Deliver notices to the intended parties. CC ID 06240	Data and Information Management	Preventive
Notify data subjects about their privacy rights. CC ID 12989	Communicate	Preventive
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Communicate	Preventive
Require a data protection impact assessment when profiling the data subject. CC ID 12680	Process or Activity	Detective
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Data and Information Management	Preventive
Provide public proof the organization participates in a privacy program. CC ID 12349	Communicate	Preventive
Publish a description of processing activities in an official register. CC ID 00379	Establish/Maintain Documentation	Preventive
Establish and maintain a records request manual. CC ID 00381	Establish/Maintain Documentation	Preventive
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Establish/Maintain Documentation	Preventive
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Behavior	Preventive
Define what is included in registration notices. CC ID 00386	Establish/Maintain Documentation	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Establish/Maintain Documentation	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Establish/Maintain Documentation	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Establish/Maintain Documentation	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Establish/Maintain Documentation	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Establish/Maintain Documentation	Preventive
Provide legal authorities access to personal data, upon request. CC ID 06818	Data and Information Management	Preventive
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Process or Activity	Preventive
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Establish/Maintain Documentation	Preventive
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398	Establish/Maintain Documentation	Preventive
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Process or Activity	Preventive
Document the countries where restricted data may be stored. CC ID 12750	Data and Information Management	Preventive
Protect the rights of students and their parents or legal representatives. CC ID 00222	Data and Information Management	Preventive
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Technical Security	Preventive
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Records Management	Preventive
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Records Management	Preventive
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Records Management	Corrective
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Records Management	Corrective
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Establish/Maintain Documentation	Preventive
Disclose educational data, as necessary. CC ID 00223	Data and Information Management	Preventive
Grant access to education records in support of educational program audits. CC ID 13032	Records Management	Preventive
Grant access to education records in support of external requirements. CC ID 13033	Records Management	Preventive
Disclose statements added to education records, as necessary. CC ID 12990	Communicate	Preventive
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Data and Information Management	Preventive
Disclose education records when written consent is received. CC ID 00224	Data and Information Management	Preventive
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Establish/Maintain Documentation	Preventive
Specify the purpose of the disclosure in the written consent. CC ID 13001	Establish/Maintain Documentation	Preventive
Specify which education records may be disclosed in the written consent. CC ID 13000	Establish/Maintain Documentation	Preventive
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Establish/Maintain Documentation	Preventive
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Communicate	Preventive
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Communicate	Preventive
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Communicate	Preventive
Disclose educational data absent consent to other school officials. CC ID 00226	Data and Information Management	Preventive
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Data and Information Management	Preventive
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Communicate	Preventive
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Data and Information Management	Preventive
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Data and Information Management	Preventive
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Data and Information Management	Preventive
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Data and Information Management	Preventive
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Data and Information Management	Preventive
Disclose educational data absent consent to a crime victim. CC ID 00236	Data and Information Management	Preventive
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Establish/Maintain Documentation	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625	Communicate	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Communicate	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Communicate	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Communicate	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Communicate	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Establish/Maintain Documentation	Preventive
Provide the data subject with the data retention period for personal data. CC ID 12587	Process or Activity	Preventive
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Process or Activity	Preventive
Provide the data subject with the adequacy decision. CC ID 12586	Process or Activity	Preventive
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Process or Activity	Preventive
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Process or Activity	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Data and Information Management	Preventive
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Business Processes	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Business Processes	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Process or Activity	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Process or Activity	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397	Establish/Maintain Documentation	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Data and Information Management	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Establish/Maintain Documentation	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Establish/Maintain Documentation	Preventive
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Establish/Maintain Documentation	Preventive
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Establish/Maintain Documentation	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Establish/Maintain Documentation	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Establish/Maintain Documentation	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Establish/Maintain Documentation	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133	Establish/Maintain Documentation	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134	Establish/Maintain Documentation	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Establish/Maintain Documentation	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Establish/Maintain Documentation	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Establish/Maintain Documentation	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Establish/Maintain Documentation	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Establish/Maintain Documentation	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Establish/Maintain Documentation	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Establish/Maintain Documentation	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Communicate	Preventive
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Establish/Maintain Documentation	Preventive
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Process or Activity	Preventive
Make telephone directory information available to the public. CC ID 08698	Establish/Maintain Documentation	Preventive
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Technical Security	Preventive
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Establish/Maintain Documentation	Preventive
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Process or Activity	Preventive
Establish, implement, and maintain a privacy policy. CC ID 06281	Establish/Maintain Documentation	Preventive
Include the data subject's rights in the privacy policy. CC ID 16355	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a privacy policy model document. CC ID 14720	Establish/Maintain Documentation	Preventive
Document privacy policies in clearly written and easily understood language. CC ID 00376	Establish/Maintain Documentation	Detective
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943	Behavior	Preventive
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944	Establish/Maintain Documentation	Preventive
Define what is included in the privacy policy. CC ID 00404	Establish/Maintain Documentation	Preventive
Define the information being collected in the privacy policy. CC ID 13115	Establish/Maintain Documentation	Preventive
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110	Establish/Maintain Documentation	Preventive
Include the means by which information is collected in the privacy policy. CC ID 13114	Establish/Maintain Documentation	Preventive
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368	Establish/Maintain Documentation	Corrective
Include roles and responsibilities in the privacy policy. CC ID 14669	Establish/Maintain Documentation	Preventive
Include management commitment in the privacy policy. CC ID 14668	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the privacy policy. CC ID 14667	Establish/Maintain Documentation	Preventive
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854	Establish/Maintain Documentation	Preventive
Include compliance requirements in the privacy policy. CC ID 14666	Establish/Maintain Documentation	Preventive
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111	Establish/Maintain Documentation	Preventive
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367	Establish/Maintain Documentation	Corrective
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366	Establish/Maintain Documentation	Preventive
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365	Establish/Maintain Documentation	Preventive
Include a complaint form in the privacy policy. CC ID 12364	Establish/Maintain Documentation	Preventive
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405	Establish/Maintain Documentation	Preventive
Include the processing purpose in the privacy policy. CC ID 00406	Establish/Maintain Documentation	Preventive
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117	Establish/Maintain Documentation	Preventive
Include the data subject categories being processed in the privacy policy. CC ID 00407	Establish/Maintain Documentation	Preventive
Define the retention period for collected information in the privacy policy. CC ID 13116	Establish/Maintain Documentation	Preventive
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408	Establish/Maintain Documentation	Preventive
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409	Establish/Maintain Documentation	Preventive
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410	Establish/Maintain Documentation	Preventive
Include instructions on how to opt-out in the privacy policy. CC ID 00411	Establish/Maintain Documentation	Preventive
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363	Establish/Maintain Documentation	Preventive
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454	Establish/Maintain Documentation	Preventive
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452	Establish/Maintain Documentation	Preventive
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390	Establish/Maintain Documentation	Preventive
Post the privacy policy in an easily seen location. CC ID 00401	Establish/Maintain Documentation	Preventive
Define who will receive the privacy policy. CC ID 00402	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346	Communicate	Preventive
Establish, implement, and maintain privacy procedures. CC ID 14665	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664	Communicate	Preventive
Establish, implement, and maintain a privacy plan. CC ID 14672	Establish/Maintain Documentation	Preventive
Align the enterprise architecture with the privacy plan. CC ID 14705	Process or Activity	Preventive
Approve the privacy plan. CC ID 14700	Business Processes	Preventive
Include privacy requirements in the privacy plan. CC ID 14699	Establish/Maintain Documentation	Preventive
Include the information types in the privacy plan. CC ID 14695	Establish/Maintain Documentation	Preventive
Include threats in the privacy plan. CC ID 14694	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the privacy plan. CC ID 14702	Establish/Maintain Documentation	Preventive
Include a description of the operational context in the privacy plan. CC ID 14692	Establish/Maintain Documentation	Preventive
Include risk assessment results in the privacy plan. CC ID 14701	Establish/Maintain Documentation	Preventive
Include the security categorizations and rationale in the privacy plan. CC ID 14690	Establish/Maintain Documentation	Preventive
Include security controls in the privacy plan. CC ID 14681	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680	Communicate	Preventive
Include a description of the operational environment in the privacy plan. CC ID 14679	Establish/Maintain Documentation	Preventive
Include network diagrams in the privacy plan. CC ID 14678	Establish/Maintain Documentation	Preventive
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a privacy report. CC ID 14754	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761	Communicate	Preventive
Protect private communications in keeping with compliance requirements. CC ID 14334	Business Processes	Preventive
Disseminate private communications when required by law. CC ID 14335	Communicate	Corrective
Establish, implement, and maintain personal data choice and consent program. CC ID 12569	Establish/Maintain Documentation	Preventive
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435	Human Resources Management	Preventive
Refrain from charging a fee to implement an opt-out request. CC ID 13877	Business Processes	Preventive
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433	Establish/Maintain Documentation	Preventive
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438	Establish/Maintain Documentation	Preventive
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Establish/Maintain Documentation	Preventive
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Establish/Maintain Documentation	Preventive
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Establish/Maintain Documentation	Preventive
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Establish/Maintain Documentation	Preventive
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Establish/Maintain Documentation	Preventive
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Establish/Maintain Documentation	Preventive
Include agreement termination information in the disclosure authorization form. CC ID 13437	Establish/Maintain Documentation	Preventive
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781	Business Processes	Preventive
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Business Processes	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391	Data and Information Management	Preventive
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Business Processes	Preventive
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Business Processes	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451	Business Processes	Preventive
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Establish/Maintain Documentation	Preventive
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Records Management	Preventive
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605	Data and Information Management	Preventive
Refrain from obtaining consent through deception. CC ID 13556	Data and Information Management	Preventive
Give individuals the ability to change the uses of their personal data. CC ID 00469	Data and Information Management	Preventive
Notify data subjects of the implications of withdrawing consent. CC ID 13551	Data and Information Management	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Establish/Maintain Documentation	Preventive
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848	Human Resources Management	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Establish Roles	Preventive
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Human Resources Management	Preventive
Notify the supervisory authority. CC ID 00472	Behavior	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Process or Activity	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Communicate	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Communicate	Corrective
Cooperate with Data Protection Authorities. CC ID 06870	Data and Information Management	Preventive
Submit a safe harbor self-certification letter. CC ID 06871	Establish/Maintain Documentation	Preventive
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647	Human Resources Management	Preventive
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584	Establish/Maintain Documentation	Preventive
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Establish/Maintain Documentation	Preventive
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Establish/Maintain Documentation	Preventive
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Establish/Maintain Documentation	Preventive
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Establish/Maintain Documentation	Preventive
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Establish/Maintain Documentation	Preventive
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Establish/Maintain Documentation	Preventive
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Establish/Maintain Documentation	Preventive
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Establish/Maintain Documentation	Preventive
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Establish/Maintain Documentation	Preventive
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Establish/Maintain Documentation	Preventive
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Establish/Maintain Documentation	Preventive
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Establish/Maintain Documentation	Preventive
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Establish/Maintain Documentation	Preventive
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Establish/Maintain Documentation	Preventive
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Establish/Maintain Documentation	Preventive
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Establish/Maintain Documentation	Preventive
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Establish/Maintain Documentation	Preventive
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Establish/Maintain Documentation	Preventive
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Establish/Maintain Documentation	Preventive
Notify the data controller of any changes in data processors. CC ID 12648	Communicate	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650	Establish/Maintain Documentation	Preventive
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685	Establish/Maintain Documentation	Preventive
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Establish/Maintain Documentation	Preventive
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938	Establish/Maintain Documentation	Preventive
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937	Establish/Maintain Documentation	Preventive
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936	Establish/Maintain Documentation	Preventive
Include the duration of processing in the Data Processing Contract. CC ID 14935	Establish/Maintain Documentation	Preventive
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Establish/Maintain Documentation	Preventive
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679	Establish/Maintain Documentation	Preventive
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678	Establish/Maintain Documentation	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676	Establish/Maintain Documentation	Preventive
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686	Human Resources Management	Preventive
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670	Establish/Maintain Documentation	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Establish/Maintain Documentation	Preventive
Display or print the least amount of personal data necessary. CC ID 04643	Data and Information Management	Preventive
Redact confidential information from public information, as necessary. CC ID 06872	Data and Information Management	Preventive
Notify the data subject of the collection purpose. CC ID 00095	Behavior	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Data and Information Management	Preventive
Document the law that requires restricted data to be collected. CC ID 00103	Establish/Maintain Documentation	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Behavior	Preventive
Notify the data subject of changes to personal data use. CC ID 00105	Behavior	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Establish/Maintain Documentation	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Establish/Maintain Documentation	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Establish/Maintain Documentation	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government CC ID 15447	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Behavior	Preventive
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Establish/Maintain Documentation	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125	Data and Information Management	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Records Management	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Communicate	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414	Establish/Maintain Documentation	Preventive
Provide individuals with information about where their personal data was processed. CC ID 00415	Data and Information Management	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416	Data and Information Management	Preventive
Provide individuals with information about disclosure of their personal data. CC ID 00417	Data and Information Management	Preventive
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Data and Information Management	Preventive
Provide assistance to requesters in preparing data access requests. CC ID 13588	Data and Information Management	Preventive
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Establish/Maintain Documentation	Preventive
Define what is to be included in a data access request. CC ID 08699	Establish/Maintain Documentation	Preventive
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Business Processes	Preventive
Respond to data access requests in a timely manner. CC ID 00421	Behavior	Preventive
Delay responding to data access requests, as necessary. CC ID 15504	Data and Information Management	Preventive
Expedite the processing of data access requests, as necessary. CC ID 15496	Data and Information Management	Preventive
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422	Behavior	Detective
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Behavior	Detective
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Business Processes	Preventive
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Process or Activity	Preventive
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Establish/Maintain Documentation	Preventive
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Data and Information Management	Preventive
Document the outcome of the personal data access request review procedure. CC ID 00455	Data and Information Management	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811	Establish/Maintain Documentation	Preventive
Submit personal data removal requests in writing. CC ID 11973	Records Management	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Establish/Maintain Documentation	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Records Management	Corrective
Notify third parties of data access requests that relates to the third party. CC ID 08703	Establish/Maintain Documentation	Preventive
Allow affected third parties to consent or object to a data access request. CC ID 08704	Process or Activity	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Establish/Maintain Documentation	Preventive
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299	Data and Information Management	Preventive
Disclose de-identified data, as necessary. CC ID 13034	Communicate	Preventive
Notify the data subject after personal data is used or disclosed. CC ID 06247	Behavior	Preventive
Refrain from processing restricted data, as necessary. CC ID 12551	Records Management	Preventive
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Process or Activity	Preventive
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667	Process or Activity	Preventive
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Business Processes	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Process or Activity	Detective
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Process or Activity	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Data and Information Management	Preventive
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Business Processes	Preventive
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Business Processes	Preventive
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Business Processes	Preventive
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Business Processes	Preventive
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Business Processes	Preventive
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Business Processes	Preventive
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Business Processes	Preventive
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Business Processes	Preventive
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Process or Activity	Preventive
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Establish/Maintain Documentation	Preventive
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Records Management	Preventive
Include the data processor's contact information in the record of processing activities. CC ID 12657	Records Management	Preventive
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Records Management	Preventive
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Records Management	Preventive
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Records Management	Preventive
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Records Management	Preventive
Include the personal data processing categories in the record of processing activities. CC ID 12661	Records Management	Preventive
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Records Management	Preventive
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Records Management	Preventive
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Records Management	Preventive
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Records Management	Preventive
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Records Management	Preventive
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Records Management	Preventive
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Records Management	Preventive
Include the data controller's contact information in the record of processing activities. CC ID 12637	Records Management	Preventive
Process restricted data lawfully and carefully. CC ID 00086	Establish Roles	Preventive
Analyze requirements for processing personal data in contracts. CC ID 12550	Investigate	Detective
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Technical Security	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Data and Information Management	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Communicate	Corrective
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Records Management	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Data and Information Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Records Management	Preventive
Rely upon the warrant of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Process or Activity	Preventive
Rely upon the warrant of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Records Management	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Data and Information Management	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Establish/Maintain Documentation	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Data and Information Management	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Establish/Maintain Documentation	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Establish/Maintain Documentation	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Data and Information Management	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Data and Information Management	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Data and Information Management	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180	Data and Information Management	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Data and Information Management	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Data and Information Management	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Data and Information Management	Preventive
Process personal data when it is processed during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185	Data and Information Management	Preventive
Process traffic data in a controlled manner. CC ID 00130	Data and Information Management	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Data and Information Management	Preventive
Process personal data when it is publicly accessible. CC ID 00187	Data and Information Management	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Data and Information Management	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010	Business Processes	Preventive
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Communicate	Corrective
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Data and Information Management	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190	Data and Information Management	Preventive
Process personal data in order to advance the public interest. CC ID 00191	Data and Information Management	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192	Data and Information Management	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Data and Information Management	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Data and Information Management	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Data and Information Management	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Data and Information Management	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Data and Information Management	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Data and Information Management	Preventive
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537	Data and Information Management	Preventive
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Process or Activity	Preventive
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Data and Information Management	Preventive
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Data and Information Management	Preventive
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Data and Information Management	Preventive
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Data and Information Management	Preventive
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580	Data and Information Management	Preventive
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Data and Information Management	Preventive
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Data and Information Management	Preventive
Process personal data absent consent in order to perform a contract. CC ID 13586	Data and Information Management	Preventive
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Data and Information Management	Preventive
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Data and Information Management	Preventive
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Data and Information Management	Preventive
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578	Data and Information Management	Preventive
Process personal data absent consent when it is needed by law. CC ID 13577	Data and Information Management	Preventive
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Data and Information Management	Preventive
Process personal data absent consent when it is from publicly available information. CC ID 13576	Data and Information Management	Preventive
Process personal data absent consent to create a credit report. CC ID 15288	Data and Information Management	Preventive
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Data and Information Management	Preventive
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Data and Information Management	Preventive
Process personal data absent consent when produced for business purposes. CC ID 13563	Data and Information Management	Preventive
Process personal data absent consent for handling insurance claims. CC ID 13561	Data and Information Management	Preventive
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Data and Information Management	Preventive
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Data and Information Management	Preventive
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Data and Information Management	Preventive
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132	Behavior	Preventive
Define security breach notification requirement exceptions. CC ID 04797	Establish/Maintain Documentation	Preventive
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086	Communicate	Corrective
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967	Records Management	Preventive
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Communicate	Corrective
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157	Data and Information Management	Preventive
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Establish/Maintain Documentation	Preventive
Define the exceptions to disclosure absent consent. CC ID 00135	Establish/Maintain Documentation	Preventive
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158	Data and Information Management	Detective
Define opt-out exceptions for disclosing restricted data. CC ID 00159	Establish/Maintain Documentation	Preventive
Define how a data subject may give consent. CC ID 00160	Establish/Maintain Documentation	Preventive
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Data and Information Management	Preventive
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267	Communicate	Preventive
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Data and Information Management	Preventive
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270	Data and Information Management	Preventive
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137	Data and Information Management	Preventive
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Data and Information Management	Preventive
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284	Data and Information Management	Preventive
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Data and Information Management	Preventive
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Data and Information Management	Preventive
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Data and Information Management	Preventive
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Data and Information Management	Preventive
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Data and Information Management	Preventive
Disclose personal data absent consent to create a credit report. CC ID 15297	Data and Information Management	Preventive
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Data and Information Management	Preventive
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Data and Information Management	Preventive
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Data and Information Management	Preventive
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285	Data and Information Management	Preventive
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Data and Information Management	Preventive
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Data and Information Management	Preventive
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Data and Information Management	Preventive
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Data and Information Management	Preventive
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Data and Information Management	Preventive
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554	Data and Information Management	Preventive
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138	Data and Information Management	Preventive
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Data and Information Management	Preventive
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552	Data and Information Management	Preventive
Disclose restricted data absent consent in order to perform a contract. CC ID 00139	Data and Information Management	Preventive
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Data and Information Management	Preventive
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290	Data and Information Management	Preventive
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286	Data and Information Management	Preventive
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Data and Information Management	Preventive
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Data and Information Management	Preventive
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Data and Information Management	Preventive
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent in order to protect historical records or archival records CC ID 00147	Data and Information Management	Preventive
Disclose restricted data absent consent for public economic interests. CC ID 00148	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149	Data and Information Management	Preventive
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150	Data and Information Management	Preventive
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151	Data and Information Management	Preventive
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Data and Information Management	Preventive
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Data and Information Management	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154	Data and Information Management	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155	Data and Information Management	Preventive
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161	Data and Information Management	Preventive
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Establish/Maintain Documentation	Detective
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Data and Information Management	Preventive
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796	Data and Information Management	Preventive
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Data and Information Management	Preventive
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Data and Information Management	Preventive
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Data and Information Management	Preventive
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Communicate	Preventive
Establish, implement, and maintain restricted data retention procedures. CC ID 00167	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Establish/Maintain Documentation	Preventive
Capture personal data removal requests. CC ID 13507	Communicate	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972	Records Management	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Process or Activity	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Process or Activity	Preventive
Dispose of personal data removal requests, as necessary. CC ID 13512	Business Processes	Preventive
Limit the redisclosure and reuse of restricted data. CC ID 00168	Data and Information Management	Preventive
Refrain from redisclosing or reusing restricted data. CC ID 00169	Data and Information Management	Preventive
Document the redisclosing restricted data exceptions. CC ID 00170	Establish/Maintain Documentation	Preventive
Redisclose restricted data when the data subject consents. CC ID 00171	Data and Information Management	Preventive
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Data and Information Management	Preventive
Redisclose restricted data in order to protect public revenue. CC ID 00173	Data and Information Management	Preventive
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Data and Information Management	Preventive
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Data and Information Management	Preventive
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Data and Information Management	Preventive
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Data and Information Management	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178	Data and Information Management	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Data and Information Management	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Data and Information Management	Preventive
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Data and Information Management	Preventive
Process Personal Identification Numbers with consent. CC ID 00239	Data and Information Management	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Behavior	Preventive
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Data and Information Management	Preventive
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Data and Information Management	Preventive
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Establish/Maintain Documentation	Preventive
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Data and Information Management	Preventive
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Data and Information Management	Preventive
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Data and Information Management	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Establish/Maintain Documentation	Preventive
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Data and Information Management	Preventive
Review personal data disclosure requests. CC ID 07129	Data and Information Management	Preventive
Notify the data subject of the disclosure purpose. CC ID 15268	Communicate	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434	Establish/Maintain Documentation	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Data and Information Management	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Data and Information Management	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Data and Information Management	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Data and Information Management	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Data and Information Management	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Data and Information Management	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Data and Information Management	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Data and Information Management	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Data and Information Management	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Process or Activity	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Data and Information Management	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Data and Information Management	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Data and Information Management	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Data and Information Management	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Data and Information Management	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Data and Information Management	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Data and Information Management	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Data and Information Management	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Data and Information Management	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Data and Information Management	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Data and Information Management	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Data and Information Management	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453	Data and Information Management	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Communicate	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Data and Information Management	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Process or Activity	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428	Data and Information Management	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Data and Information Management	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Communicate	Preventive
Provide data or records in a reasonable time frame. CC ID 00429	Data and Information Management	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Communicate	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Data and Information Management	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Data and Information Management	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Data and Information Management	Preventive
Provide data at a cost that is not excessive. CC ID 00430	Data and Information Management	Preventive
Provide records or data in a reasonable manner. CC ID 00431	Data and Information Management	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Data and Information Management	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Data and Information Management	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Data and Information Management	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Data and Information Management	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Establish/Maintain Documentation	Preventive
Include cookie management in the privacy framework. CC ID 13809	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain cookie management procedures. CC ID 13810	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Establish/Maintain Documentation	Preventive
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279	Data and Information Management	Preventive
Refrain from collecting personal data, as necessary. CC ID 15269	Data and Information Management	Preventive
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488	Business Processes	Detective
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Establish/Maintain Documentation	Preventive
Use personal data for specified purposes. CC ID 11831	Data and Information Management	Preventive
Post the collection purpose. CC ID 00101	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012	Data and Information Management	Preventive
Document each individual's personal data collection consent preferences. CC ID 06945	Establish/Maintain Documentation	Preventive
Provide explicit consent that is clear and unambiguous. CC ID 00181	Data and Information Management	Preventive
Allow individuals to change their personal data collection consent preferences. CC ID 06946	Data and Information Management	Preventive
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Data and Information Management	Preventive
Notify the data subject of the source of collected personal data. CC ID 00083	Behavior	Preventive
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Data and Information Management	Preventive
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Data and Information Management	Preventive
Establish and maintain a personal data definition. CC ID 00028	Establish/Maintain Documentation	Preventive
Include an individual's name in the personal data definition. CC ID 04710	Data and Information Management	Preventive
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Data and Information Management	Preventive
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Data and Information Management	Preventive
Include an individual's signature in the personal data definition. CC ID 04711	Data and Information Management	Preventive
Include an individual's date of birth in the personal data definition. CC ID 04770	Data and Information Management	Preventive
Include the number of children in the personal data definition. CC ID 13759	Establish/Maintain Documentation	Preventive
Include the individual's religion in the personal data definition. CC ID 13765	Establish/Maintain Documentation	Preventive
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Data and Information Management	Preventive
Include an individual's biometric data in the personal data definition. CC ID 04698	Data and Information Management	Preventive
Include an individual's photographic image in the personal data definition. CC ID 04779	Data and Information Management	Preventive
Include an individual's fingerprints in the personal data definition. CC ID 04689	Data and Information Management	Preventive
Include an individual's address in the personal data definition. CC ID 04687	Data and Information Management	Preventive
Include an individual's telephone number in the personal data definition. CC ID 04688	Data and Information Management	Preventive
Include an individual's fax number in the personal data definition. CC ID 07120	Data and Information Management	Preventive
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Establish/Maintain Documentation	Preventive
Include an individual's license plate number in the personal data definition. CC ID 13763	Establish/Maintain Documentation	Preventive
Include an individual's financial account number in the personal data definition. CC ID 04692	Data and Information Management	Preventive
Include an individual's account balances in the personal data definition. CC ID 13770	Establish/Maintain Documentation	Preventive
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Data and Information Management	Preventive
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Data and Information Management	Preventive
Include an individual's logon credentials in the personal data definition. CC ID 13771	Establish/Maintain Documentation	Preventive
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Data and Information Management	Preventive
Include an individual's passport number in the personal data definition. CC ID 04713	Data and Information Management	Preventive
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Data and Information Management	Preventive
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Data and Information Management	Preventive
Include an individual's military identification number in the personal data definition. CC ID 13083	Establish/Maintain Documentation	Preventive
Include an individual's e-mail address in the personal data definition. CC ID 04696	Data and Information Management	Preventive
Include electronic signatures in the personal data definition. CC ID 04697	Data and Information Management	Preventive
Include an individual's payment card information in the personal data definition. CC ID 04751	Data and Information Management	Preventive
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Data and Information Management	Preventive
Include an individual's payment card service code in the personal data definition. CC ID 04753	Data and Information Management	Preventive
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Data and Information Management	Preventive
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Data and Information Management	Preventive
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Data and Information Management	Preventive
Include an individual's medical history in the personal data definition. CC ID 04701	Data and Information Management	Preventive
Include an individual's medical treatment in the personal data definition. CC ID 04702	Data and Information Management	Preventive
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Data and Information Management	Preventive
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Data and Information Management	Preventive
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Data and Information Management	Preventive
Include an individual's health insurance information in the personal data definition. CC ID 04705	Data and Information Management	Preventive
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Data and Information Management	Preventive
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Data and Information Management	Preventive
Include an individual's education information in the personal data definition. CC ID 04714	Data and Information Management	Preventive
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Data and Information Management	Preventive
Include an individual's employment information in the personal data definition. CC ID 04715	Data and Information Management	Preventive
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Data and Information Management	Preventive
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Data and Information Management	Preventive
Include an individual's employment history in the personal data definition. CC ID 04716	Data and Information Management	Preventive
Include an individual's place of employment in the personal data definition. CC ID 04765	Data and Information Management	Preventive
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Data and Information Management	Preventive
Include an individual's property information in the personal data definition. CC ID 04780	Data and Information Management	Preventive
Include an individual's property title in the personal data definition. CC ID 04781	Data and Information Management	Preventive
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Data and Information Management	Preventive
Include hardware asset identification information in the personal data definition. CC ID 07123	Data and Information Management	Preventive
Include MAC addresses in the personal data definition. CC ID 04778	Data and Information Management	Preventive
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Data and Information Management	Preventive
Include asset serial numbers in the personal data definition. CC ID 07124	Data and Information Management	Preventive
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Data and Information Management	Preventive
Refrain from including publicly available information in the personal data definition. CC ID 13084	Establish/Maintain Documentation	Preventive
Define specially restricted data. CC ID 00037	Data and Information Management	Preventive
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Data and Information Management	Preventive
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Data and Information Management	Preventive
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Data and Information Management	Preventive
Implement a nondiscrimination principle. CC ID 00081	Data and Information Management	Preventive
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Data and Information Management	Preventive
Preserve each individual's right to human dignity. CC ID 00082	Data and Information Management	Preventive
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Data and Information Management	Preventive
Employ a random number generator to create authenticators. CC ID 13782	Technical Security	Preventive
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Data and Information Management	Preventive
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Behavior	Preventive
Manage health data collection. CC ID 00050	Data and Information Management	Preventive
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Data and Information Management	Preventive
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Data and Information Management	Preventive
Collect Individually Identifiable Health Information for research. CC ID 00054	Data and Information Management	Preventive
Remove personal data before disclosing health data. CC ID 00055	Data and Information Management	Preventive
Give special attention to collecting children's data. CC ID 00038	Data and Information Management	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Behavior	Preventive
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Establish/Maintain Documentation	Preventive
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Data and Information Management	Preventive
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Establish/Maintain Documentation	Preventive
Collect personal data directly from the data subject. CC ID 00011	Data and Information Management	Preventive
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Data and Information Management	Preventive
Provide unlinkability for users and resources. CC ID 04550	Data and Information Management	Preventive
Provide unobservability of users and resources. CC ID 04551	Technical Security	Preventive
Confirm the data quality of personal data collected from third parties. CC ID 13510	Investigate	Detective
Collect restricted data in a fair and lawful manner. CC ID 00010	Data and Information Management	Preventive
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013	Data and Information Management	Preventive
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014	Data and Information Management	Preventive
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Data and Information Management	Preventive
Collect personal data absent consent in order to make a disclosure. CC ID 13550	Data and Information Management	Preventive
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801	Data and Information Management	Preventive
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548	Data and Information Management	Preventive
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544	Data and Information Management	Preventive
Collect personal data absent consent for handling insurance claims. CC ID 13543	Data and Information Management	Preventive
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Data and Information Management	Preventive
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295	Data and Information Management	Preventive
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614	Data and Information Management	Preventive
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277	Data and Information Management	Preventive
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289	Data and Information Management	Preventive
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292	Data and Information Management	Preventive
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017	Data and Information Management	Preventive
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293	Data and Information Management	Preventive
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018	Data and Information Management	Preventive
Collect restricted data absent consent from publicly available information. CC ID 00019	Data and Information Management	Preventive
Collect restricted data absent consent when needed by law. CC ID 00020	Data and Information Management	Preventive
Collect personal data absent consent to create a credit report. CC ID 15287	Data and Information Management	Preventive
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Data and Information Management	Preventive
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Data and Information Management	Preventive
Collect the minimum amount of restricted data necessary. CC ID 00078	Data and Information Management	Preventive
Collect restricted data in a proper information framework. CC ID 00009	Data and Information Management	Preventive
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027	Data and Information Management	Preventive
Collect restricted data when required by law. CC ID 00031	Data and Information Management	Preventive
Collect restricted data to prevent life-threatening emergencies. CC ID 00032	Data and Information Management	Preventive
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Data and Information Management	Preventive
Collect restricted data for legal purposes. CC ID 00036	Data and Information Management	Preventive
Review the methods for collecting personal data, as necessary. CC ID 13511	Investigate	Detective
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Establish/Maintain Documentation	Preventive
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Communicate	Preventive
Provide the data subject with the data collector's name and contact information. CC ID 00024	Establish/Maintain Documentation	Preventive
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Establish/Maintain Documentation	Preventive
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Establish/Maintain Documentation	Preventive
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Data and Information Management	Preventive
Protect electronic messaging information. CC ID 12022 [Information involved in electronic messaging should be appropriately protected. § 13.2.3 Control]	Technical Security	Preventive
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Data and Information Management	Preventive
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Configuration	Preventive
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Testing	Detective
Store payment card data in secure chips, if possible. CC ID 13065	Configuration	Preventive
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Configuration	Preventive
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Technical Security	Preventive
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Data and Information Management	Preventive
Log the disclosure of personal data. CC ID 06628	Log Management	Preventive
Log the modification of personal data. CC ID 11844	Log Management	Preventive
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Technical Security	Preventive
Implement security measures to protect personal data. CC ID 13606	Technical Security	Preventive
Implement physical controls to protect personal data. CC ID 00355	Testing	Preventive
Limit data leakage. CC ID 00356	Data and Information Management	Preventive
Conduct personal data risk assessments. CC ID 00357	Testing	Detective
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Business Processes	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Establish/Maintain Documentation	Detective
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Data and Information Management	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Data and Information Management	Detective
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Monitor and Evaluate Occurrences	Detective
Perform an identity check prior to approving an account change request. CC ID 13670	Investigate	Detective
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Behavior	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Data and Information Management	Detective
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Log Management	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Monitor and Evaluate Occurrences	Corrective
Log dates for account name changes or address changes. CC ID 04876	Log Management	Detective
Review accounts that are changed for additional user requests. CC ID 11846	Monitor and Evaluate Occurrences	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Data and Information Management	Detective
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Acquisition/Sale of Assets or Services	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Process or Activity	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Process or Activity	Preventive
Review monitored websites for data leakage. CC ID 10593	Monitor and Evaluate Occurrences	Detective
Take appropriate action when a data leakage is discovered. CC ID 14716	Process or Activity	Corrective
Include text about data ownership in the data handling policy. CC ID 15720	Data and Information Management	Preventive
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain caller identification controls. CC ID 04790	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126	Data and Information Management	Preventive
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Data and Information Management	Preventive
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Data and Information Management	Preventive
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465	Communicate	Preventive
Establish, implement, and maintain data handling procedures. CC ID 11756	Establish/Maintain Documentation	Preventive
Define personal data that falls under breach notification rules. CC ID 00800	Establish/Maintain Documentation	Preventive
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Data and Information Management	Preventive
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Data and Information Management	Preventive
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Data and Information Management	Preventive
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Data and Information Management	Preventive
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Data and Information Management	Preventive
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Data and Information Management	Preventive
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Data and Information Management	Preventive
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Data and Information Management	Preventive
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Data and Information Management	Preventive
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Data and Information Management	Preventive
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Data and Information Management	Preventive
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Data and Information Management	Preventive
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Data and Information Management	Preventive
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Data and Information Management	Preventive
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Data and Information Management	Preventive
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Data and Information Management	Preventive
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Data and Information Management	Preventive
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Data and Information Management	Preventive
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Data and Information Management	Preventive
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Data and Information Management	Preventive
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Data and Information Management	Preventive
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Data and Information Management	Preventive
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Data and Information Management	Preventive
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Data and Information Management	Preventive
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Data and Information Management	Preventive
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Data and Information Management	Preventive
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Data and Information Management	Preventive
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Data and Information Management	Preventive
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Data and Information Management	Preventive
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Data and Information Management	Preventive
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Data and Information Management	Preventive
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Data and Information Management	Preventive
Define an out of scope privacy breach. CC ID 04677	Establish/Maintain Documentation	Preventive
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Business Processes	Preventive
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Monitor and Evaluate Occurrences	Preventive
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Monitor and Evaluate Occurrences	Preventive
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Monitor and Evaluate Occurrences	Preventive
Conduct internal data processing audits. CC ID 00374	Testing	Detective
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Communicate	Preventive
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Establish/Maintain Documentation	Preventive
Obtain consent from an individual prior to transferring personal data. CC ID 06948	Data and Information Management	Preventive
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351	Establish/Maintain Documentation	Preventive
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528	Business Processes	Preventive
Notify data subjects when their personal data is transferred. CC ID 00352	Behavior	Preventive
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333	Establish/Maintain Documentation	Preventive
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414	Communicate	Preventive
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314	Data and Information Management	Preventive
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312	Data and Information Management	Preventive
Prohibit the transfer of personal data when security is inadequate. CC ID 00345	Data and Information Management	Preventive
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346	Data and Information Management	Preventive
Refrain from transferring past the first transfer. CC ID 00347	Data and Information Management	Preventive
Document transfer disagreements by the data subject in writing. CC ID 00348	Establish/Maintain Documentation	Preventive
Allow the data subject the right to object to the personal data transfer. CC ID 00349	Data and Information Management	Preventive
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428	Records Management	Preventive
Follow the instructions of the data transferrer. CC ID 00334	Behavior	Preventive
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315	Establish/Maintain Documentation	Preventive
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Data and Information Management	Preventive
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Data and Information Management	Preventive
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Data and Information Management	Preventive
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Data and Information Management	Preventive
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Data and Information Management	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Data and Information Management	Preventive
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322	Data and Information Management	Preventive
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Data and Information Management	Preventive
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Data and Information Management	Preventive
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Data and Information Management	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Data and Information Management	Preventive
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335	Data and Information Management	Preventive
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527	Business Processes	Preventive
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336	Establish/Maintain Documentation	Preventive
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337	Data and Information Management	Preventive
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338	Data and Information Management	Preventive
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339	Data and Information Management	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340	Data and Information Management	Preventive
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341	Data and Information Management	Preventive
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342	Data and Information Management	Preventive
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343	Data and Information Management	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344	Data and Information Management	Preventive
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353	Communicate	Preventive
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350	Behavior	Preventive
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949	Establish/Maintain Documentation	Preventive
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950	Data and Information Management	Preventive
Obtain consent prior to downloading software to an individual's computer. CC ID 06951	Data and Information Management	Preventive
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000	Process or Activity	Preventive
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998	Process or Activity	Preventive
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997	Process or Activity	Preventive
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961	Data and Information Management	Preventive
Establish, implement, and maintain a privacy impact assessment. CC ID 13712	Establish/Maintain Documentation	Preventive
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Establish/Maintain Documentation	Preventive
Include how to grant consent in the privacy impact assessment. CC ID 15519	Establish/Maintain Documentation	Preventive
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Establish/Maintain Documentation	Preventive
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Establish/Maintain Documentation	Preventive
Include data handling procedures in the privacy impact assessment. CC ID 15516	Establish/Maintain Documentation	Preventive
Include the intended use of information in the privacy impact assessment. CC ID 15515	Establish/Maintain Documentation	Preventive
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Establish/Maintain Documentation	Preventive
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Business Processes	Preventive
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Communicate	Preventive
Review compliance with the organization's privacy objectives. CC ID 13490	Human Resources Management	Detective
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Data and Information Management	Preventive
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Behavior	Preventive
Implement procedures to file privacy rights violation complaints. CC ID 00476	Data and Information Management	Corrective
File privacy rights violation complaints in writing. CC ID 00477	Establish/Maintain Documentation	Corrective
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Establish/Maintain Documentation	Corrective
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Establish/Maintain Documentation	Preventive
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478	Behavior	Corrective
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Behavior	Corrective
Change or destroy any personal data that is incorrect. CC ID 00462	Data and Information Management	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Behavior	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Data and Information Management	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Data and Information Management	Corrective
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526	Establish/Maintain Documentation	Preventive
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Establish/Maintain Documentation	Preventive
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Establish/Maintain Documentation	Preventive
Document unresolved challenges. CC ID 13568	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Establish/Maintain Documentation	Preventive
Notify individuals of their right to challenge personal data. CC ID 00457	Data and Information Management	Preventive
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Data and Information Management	Preventive
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Configuration	Preventive
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Human Resources Management	Preventive
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Data and Information Management	Preventive
Investigate the disputed accuracy of personal data. CC ID 00461	Data and Information Management	Preventive
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Behavior	Corrective
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467	Behavior	Corrective
Notify third parties of unresolved challenges. CC ID 13559	Communicate	Preventive
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Establish/Maintain Documentation	Preventive
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Establish/Maintain Documentation	Preventive
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Data and Information Management	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Behavior	Detective
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364	Business Processes	Corrective
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Behavior	Detective
Include the allegations against the organization in the notice of investigation. CC ID 13031	Establish/Maintain Documentation	Preventive
Investigate privacy rights violation complaints in private. CC ID 00492	Behavior	Detective
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Behavior	Detective
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Behavior	Detective
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481	Behavior	Preventive
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Behavior	Preventive
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Behavior	Preventive
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Behavior	Preventive
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Behavior	Preventive
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Communicate	Corrective
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Establish/Maintain Documentation	Corrective
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Behavior	Corrective
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497	Establish/Maintain Documentation	Detective
Order the organization to change to be in compliance with applicable law. CC ID 00499	Behavior	Corrective
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Behavior	Corrective
Award damages based on applicable law. CC ID 00501	Behavior	Corrective
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Data and Information Management	Corrective
Define the organization's liability based on the applicable law. CC ID 00504	Establish/Maintain Documentation	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Establish/Maintain Documentation	Preventive
Define the appeal process based on the applicable law. CC ID 00506	Establish/Maintain Documentation	Preventive
Provide notice of proposed penalties. CC ID 06216	Establish/Maintain Documentation	Preventive
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Behavior	Preventive
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Testing	Detective

Records management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Records management CC ID 00902	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain records management policies. CC ID 00903	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a record classification scheme. CC ID 00914	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a records authentication system. CC ID 11648 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]	Establish/Maintain Documentation	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Establish/Maintain Documentation	Detective
Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]	Establish/Maintain Documentation	Preventive
Supervise media destruction in accordance with organizational standards. CC ID 16456	Business Processes	Preventive
Sanitize electronic storage media in accordance with organizational standards. CC ID 16464	Data and Information Management	Preventive
Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643 [All items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. § 11.2.7 Control]	Data and Information Management	Preventive
Degauss as a method of sanitizing electronic storage media. CC ID 00973	Records Management	Preventive
Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970 [Media should be disposed of securely when no longer required, using formal procedures. § 8.3.2 Control]	Testing	Detective
Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485	Process or Activity	Preventive
Maintain media sanitization equipment in operational condition. CC ID 00721	Testing	Detective
Use approved media sanitization equipment for destruction. CC ID 16459	Business Processes	Preventive
Establish, implement, and maintain records management procedures. CC ID 11619	Establish/Maintain Documentation	Preventive
Protect records from loss in accordance with applicable requirements. CC ID 12007 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]	Records Management	Preventive
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 [Procedures should be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. § 8.3.1 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security label procedures. CC ID 06747 [An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization. § 8.2.2 Control]	Establish/Maintain Documentation	Preventive
Label restricted storage media appropriately. CC ID 00966	Data and Information Management	Preventive
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records Management	Detective
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Establish/Maintain Documentation	Preventive
Conspicuously locate the restricted record's overall classification. CC ID 01890	Establish/Maintain Documentation	Preventive
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Establish/Maintain Documentation	Preventive
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Establish/Maintain Documentation	Preventive
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Establish/Maintain Documentation	Preventive
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Establish/Maintain Documentation	Preventive
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Data and Information Management	Preventive
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957	Technical Security	Preventive
Establish the minimum originator requirements for security labels. CC ID 06579	Establish/Maintain Documentation	Preventive
Establish the minimum intermediate system requirements for security labels. CC ID 06581	Establish/Maintain Documentation	Preventive
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580	Establish/Maintain Documentation	Preventive
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582	Establish/Maintain Documentation	Preventive
Establish and maintain access controls for all records. CC ID 00371 [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]	Records Management	Preventive
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202	Data and Information Management	Preventive
Establish, implement, and maintain a records lifecycle management program. CC ID 00951	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information preservation policy. CC ID 16483	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information preservation procedures. CC ID 06277	Establish/Maintain Documentation	Preventive
Implement and maintain high availability storage, as necessary. CC ID 00952	Technical Security	Preventive
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953	Records Management	Preventive
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954	Records Management	Preventive
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932	Records Management	Preventive
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain online storage controls. CC ID 00942	Technical Security	Preventive
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943	Records Management	Preventive
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944	Testing	Detective
Provide encryption for different types of electronic storage media. CC ID 00945	Technical Security	Preventive
Implement electronic storage media integrity controls. CC ID 00946	Configuration	Preventive
Automate electronic storage media integrity check controls. CC ID 00948	Configuration	Preventive
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950	Configuration	Preventive
Provide audit trails for all pertinent records. CC ID 00372	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a removable storage media log. CC ID 12317	Log Management	Preventive
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320	Establish/Maintain Documentation	Preventive
Include the date and time in the removable storage media log. CC ID 12318	Establish/Maintain Documentation	Preventive
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315	Establish/Maintain Documentation	Preventive
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754	Establish/Maintain Documentation	Preventive
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753	Establish/Maintain Documentation	Preventive
Include the sender's name in the removable storage media log. CC ID 12752	Establish/Maintain Documentation	Preventive
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751	Establish/Maintain Documentation	Preventive
Include the reason for transfer in the removable storage media log. CC ID 12316	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619	Process or Activity	Preventive
Identify electronic storage media that require downgrading. CC ID 10620	Process or Activity	Detective
Downgrade electronic storage media, as necessary. CC ID 10621	Process or Activity	Corrective
Document all actions taken when downgrading electronic storage media. CC ID 10622	Establish/Maintain Documentation	Preventive
Test the storage media downgrade for correct performance. CC ID 10623	Testing	Detective

System hardening through configuration management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
System hardening through configuration management CC ID 00860	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain system hardening procedures. CC ID 12001	Establish/Maintain Documentation	Preventive
Remove all unnecessary functionality. CC ID 00882	Configuration	Preventive
Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827	Configuration	Preventive
Restrict and control the use of privileged utility programs. CC ID 12030 [The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled. § 9.4.4 Control]	Technical Security	Preventive
Establish, implement, and maintain authenticators. CC ID 15305	Technical Security	Preventive
Establish, implement, and maintain an authenticator standard. CC ID 01702	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an authenticator management system. CC ID 12031 [The allocation of secret authentication information should be controlled through a formal management process. § 9.2.4 Control {interactive system} Password management systems should be interactive and should ensure quality passwords. § 9.4.3 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a repository of authenticators. CC ID 16372	Data and Information Management	Preventive
Establish, implement, and maintain authenticator procedures. CC ID 12002 [Users should be required to follow the organization’s practices in the use of secret authentication information. § 9.3.1 Control]	Establish/Maintain Documentation	Preventive
Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127	Technical Security	Preventive
Configure authenticators to comply with organizational standards. CC ID 06412 [{interactive system} Password management systems should be interactive and should ensure quality passwords. § 9.4.3 Control]	Configuration	Preventive
Configure the system to require new users to change their authenticator on first use. CC ID 05268	Configuration	Preventive
Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519	Configuration	Preventive
Change the authenticator for shared accounts when the group membership changes. CC ID 14249	Business Processes	Corrective
Configure the system to prevent unencrypted authenticator use. CC ID 04457	Configuration	Preventive
Disable store passwords using reversible encryption. CC ID 01708	Configuration	Preventive
Configure the system to encrypt authenticators. CC ID 06735	Configuration	Preventive
Configure the system to mask authenticators. CC ID 02037	Configuration	Preventive
Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992	Configuration	Preventive
Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717	Establish/Maintain Documentation	Preventive
Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718	Establish/Maintain Documentation	Preventive
Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783	Configuration	Preventive
Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719	Establish/Maintain Documentation	Preventive
Disable machine account password changes. CC ID 01737	Configuration	Preventive
Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720	Establish/Maintain Documentation	Preventive
Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722	Establish/Maintain Documentation	Preventive
Configure the "password reuse" setting to organizational standards. CC ID 08724	Establish/Maintain Documentation	Preventive
Configure the "Disable Remember Password" setting. CC ID 05270	Configuration	Preventive
Configure the "Minimum password age" to organizational standards. CC ID 01703	Configuration	Preventive
Configure the LILO/GRUB password. CC ID 01576	Configuration	Preventive
Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481	Configuration	Preventive
Change the default password to Apple's Keychain. CC ID 04482	Configuration	Preventive
Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483	Configuration	Preventive
Configure the Syskey Encryption Key and associated password. CC ID 05978	Configuration	Preventive
Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505	Configuration	Preventive
Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534	Configuration	Preventive
Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267	Configuration	Preventive
Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269	Configuration	Preventive
Configure the "Send LanMan compatible password" setting. CC ID 05271	Configuration	Preventive
Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993	Configuration	Preventive
Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054	Configuration	Preventive
Set the default folder for BitLocker recovery passwords correctly. CC ID 06055	Configuration	Preventive
Notify affected parties to keep authenticators confidential. CC ID 06787	Behavior	Preventive
Discourage affected parties from recording authenticators. CC ID 06788	Behavior	Preventive
Ensure the root account is the first entry in password files. CC ID 16323	Data and Information Management	Detective
Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721	Establish/Maintain Documentation	Preventive
Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723	Establish/Maintain Documentation	Preventive
Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866	Configuration	Preventive
Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185	Configuration	Preventive
Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187	Configuration	Preventive
Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296	Configuration	Preventive
Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355	Configuration	Preventive
Configure the authenticator display screen to organizational standards. CC ID 13794	Configuration	Preventive
Configure the authenticator field to disallow memorized secrets found in the memorized secret list. CC ID 13808	Configuration	Preventive
Configure the authenticator display screen to display the memorized secret as an option. CC ID 13806	Configuration	Preventive
Disseminate and communicate with the end user when a memorized secret entered into an authenticator field matches one found in the memorized secret list. CC ID 13807	Communicate	Preventive
Configure the look-up secret authenticator to dispose of memorized secrets after their use. CC ID 13817	Configuration	Corrective
Configure the memorized secret verifiers to refrain from allowing anonymous users to access memorized secret hints. CC ID 13823	Configuration	Preventive
Configure the system to allow paste functionality for the authenticator field. CC ID 13819	Configuration	Preventive
Configure the system to require successful authentication before an authenticator for a user account is changed. CC ID 13821	Configuration	Preventive
Configure Logging settings in accordance with organizational standards. CC ID 07611	Configuration	Preventive
Configure all logs to capture auditable events or actionable events. CC ID 06332	Configuration	Preventive
Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645 [System administrator and system operator activities should be logged and the logs protected and regularly reviewed. § 12.4.3 Control]	Log Management	Detective

Systems design, build, and implementation

230

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Systems design, build, and implementation CC ID 00989	IT Impact Zone	IT Impact Zone
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [{system development} Rules for the development of software and systems should be established and applied to developments within the organization. § 14.2.1 Control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security controls definition document. CC ID 01080	Establish/Maintain Documentation	Preventive
Include identified risks and legal requirements in the security controls definition document. CC ID 11743	Establish/Maintain Documentation	Preventive
Include naming conventions in system design guidelines. CC ID 13656	Establish/Maintain Documentation	Preventive
Implement manual override capability into automated systems. CC ID 14921	Systems Design, Build, and Implementation	Preventive
Define and assign the system development project team roles and responsibilities. CC ID 01061	Establish Roles	Preventive
Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062	Establish Roles	Preventive
Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063	Establish Roles	Preventive
Restrict system architects from being assigned as Administrators. CC ID 01064	Testing	Detective
Restrict the development team from having access to the production environment. CC ID 01066	Testing	Detective
Redesign business activities to support the system implementation. CC ID 01067	Systems Design, Build, and Implementation	Corrective
Establish, implement, and maintain a source data collection design specification. CC ID 01070	Establish/Maintain Documentation	Preventive
Establish and maintain an input requirements definition document. CC ID 01071	Establish/Maintain Documentation	Preventive
Search for metadata during e-discovery. CC ID 01073	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain security design principles. CC ID 14718	Systems Design, Build, and Implementation	Preventive
Include reduced complexity of systems or system components in the security design principles. CC ID 14753	Systems Design, Build, and Implementation	Preventive
Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752	Systems Design, Build, and Implementation	Preventive
Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751	Systems Design, Build, and Implementation	Preventive
Include modularity and layering of systems or system components in the security design principles. CC ID 14750	Systems Design, Build, and Implementation	Preventive
Include secure evolvability of systems or system components in the security design principles. CC ID 14749	Systems Design, Build, and Implementation	Preventive
Include continuous protection of systems or system components in the security design principles. CC ID 14748	Establish/Maintain Documentation	Preventive
Include least common mechanisms between systems or system components in the security design principles. CC ID 14747	Systems Design, Build, and Implementation	Preventive
Include secure system modification of systems or system components in the security design principles. CC ID 14746	Systems Design, Build, and Implementation	Preventive
Include clear abstractions of systems or system components in the security design principles. CC ID 14745	Systems Design, Build, and Implementation	Preventive
Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744	Systems Design, Build, and Implementation	Preventive
Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743	Systems Design, Build, and Implementation	Preventive
Include least privilege of systems or system components in the security design principles. CC ID 14742	Systems Design, Build, and Implementation	Preventive
Include minimized sharing of systems or system components in the security design principles. CC ID 14741	Systems Design, Build, and Implementation	Preventive
Include acceptable security of systems or system components in the security design principles. CC ID 14740	Systems Design, Build, and Implementation	Preventive
Include minimized security elements in systems or system components in the security design principles. CC ID 14739	Systems Design, Build, and Implementation	Preventive
Include hierarchical protection in systems or system components in the security design principles. CC ID 14738	Systems Design, Build, and Implementation	Preventive
Include self-analysis of systems or system components in the security design principles. CC ID 14737	Systems Design, Build, and Implementation	Preventive
Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736	Systems Design, Build, and Implementation	Preventive
Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735	Systems Design, Build, and Implementation	Preventive
Include secure distributed composition of systems or system components in the security design principles. CC ID 14734	Systems Design, Build, and Implementation	Preventive
Include minimization of systems or system components in the security design principles. CC ID 14733	Systems Design, Build, and Implementation	Preventive
Include secure defaults in systems or system components in the security design principles. CC ID 14732	Systems Design, Build, and Implementation	Preventive
Include trusted communications channels for systems or system components in the security design principles. CC ID 14731	Systems Design, Build, and Implementation	Preventive
Include economic security in systems or system components in the security design principles. CC ID 14730	Systems Design, Build, and Implementation	Preventive
Include trusted components of systems or system components in the security design principles. CC ID 14729	Systems Design, Build, and Implementation	Preventive
Include procedural rigor in systems or system components in the security design principles. CC ID 14728	Systems Design, Build, and Implementation	Preventive
Include accountability and traceability of systems or system components in the security design principles. CC ID 14727	Systems Design, Build, and Implementation	Preventive
Include hierarchical trust in systems or system components in the security design principles. CC ID 14726	Systems Design, Build, and Implementation	Preventive
Include sufficient documentation for systems or system components in the security design principles. CC ID 14725	Systems Design, Build, and Implementation	Preventive
Include performance security of systems or system components in the security design principles. CC ID 14724	Systems Design, Build, and Implementation	Preventive
Include human factored security in systems or system components in the security design principles. CC ID 14723	Systems Design, Build, and Implementation	Preventive
Include secure metadata management of systems or system components in the security design principles. CC ID 14722	Systems Design, Build, and Implementation	Preventive
Include predicate permission of systems or system components in the security design principles. CC ID 14721	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a system use training plan. CC ID 01089	Establish/Maintain Documentation	Preventive
Train the affected users during system development life cycle projects. CC ID 01091	Behavior	Preventive
Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963	Establish/Maintain Documentation	Preventive
Include the physical design characteristics in the system design specification. CC ID 06927	Establish/Maintain Documentation	Preventive
Separate the design and development environment from the production environment. CC ID 06088 [{development environment} {testing environment} Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. § 12.1.4 Control]	Systems Design, Build, and Implementation	Preventive
Specify appropriate tools for the system development project. CC ID 06830	Establish/Maintain Documentation	Preventive
Implement security controls in development endpoints. CC ID 16389	Testing	Preventive
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems Design, Build, and Implementation	Preventive
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 [Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts. § 14.2.5 Control]	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain outsourced development procedures. CC ID 01141	Establish/Maintain Documentation	Preventive
Supervise and monitor outsourced development projects. CC ID 01096 [The organization should supervise and monitor the activity of outsourced system development. § 14.2.7 Control]	Monitor and Evaluate Occurrences	Detective
Protect stored manufacturing components prior to assembly. CC ID 12248	Systems Design, Build, and Implementation	Preventive
Store manufacturing components in a controlled access area. CC ID 12256	Physical and Environmental Protection	Preventive
Develop new products based on best practices. CC ID 01095	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a system design specification. CC ID 04557	Establish/Maintain Documentation	Preventive
Document the system architecture in the system design specification. CC ID 12287	Establish/Maintain Documentation	Preventive
Include hardware requirements in the system design specification. CC ID 08666	Establish/Maintain Documentation	Preventive
Include communication links in the system design specification. CC ID 08665	Establish/Maintain Documentation	Preventive
Include a description of each module and asset in the system design specification. CC ID 11734	Establish/Maintain Documentation	Preventive
Include supporting software requirements in the system design specification. CC ID 08664	Establish/Maintain Documentation	Preventive
Establish and maintain Application Programming Interface documentation. CC ID 12203	Establish/Maintain Documentation	Preventive
Include configuration options in the Application Programming Interface documentation. CC ID 12205	Establish/Maintain Documentation	Preventive
Include the logical data flows and process steps in the system design specification. CC ID 08668	Establish/Maintain Documentation	Preventive
Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286	Establish/Maintain Documentation	Preventive
Include threat models in the system design specification. CC ID 06829	Systems Design, Build, and Implementation	Preventive
Include security requirements in the system design specification. CC ID 06826 [The information security related requirements should be included in the requirements for new information systems or enhancements to existing information systems. § 14.1.1 Control]	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793	Establish/Maintain Documentation	Preventive
Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain identification card or badge architectural designs. CC ID 06591	Process or Activity	Preventive
Define the physical requirements for identification cards or badges in the identification card or badge architectural designs. CC ID 06592	Process or Activity	Preventive
Define the mandatory items that must appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06593	Process or Activity	Preventive
Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427	Systems Design, Build, and Implementation	Preventive
Define the optional items that may appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06594	Process or Activity	Preventive
Include security measures in the identification card or badge architectural designs. CC ID 15423	Systems Design, Build, and Implementation	Preventive
Include the logical credential data model for identification cards or badges in the identification card or badge architectural designs. CC ID 06595	Process or Activity	Preventive
Establish, implement, and maintain payment card architectural designs. CC ID 16132	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain coding guidelines. CC ID 08661	Establish/Maintain Documentation	Preventive
Nest elements appropriately in website content using markup languages. CC ID 15154	Configuration	Preventive
Use valid HTML or other markup languages. CC ID 15153	Configuration	Preventive
Establish, implement, and maintain human interface guidelines. CC ID 08662	Establish/Maintain Documentation	Preventive
Ensure users can navigate content. CC ID 15163	Configuration	Preventive
Create text content using language that is readable and is understandable. CC ID 15167	Configuration	Preventive
Ensure user interface components are operable. CC ID 15162	Configuration	Preventive
Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160	Configuration	Preventive
Allow users to reverse submissions. CC ID 15168	Configuration	Preventive
Provide a mechanism to control audio. CC ID 15158	Configuration	Preventive
Allow modification of style properties without loss of content or functionality. CC ID 15156	Configuration	Preventive
Programmatically determine the name and role of user interface components. CC ID 15148	Configuration	Preventive
Programmatically determine the language of content. CC ID 15137	Configuration	Preventive
Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164	Configuration	Preventive
Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166	Configuration	Preventive
Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165	Configuration	Preventive
Provide users a mechanism to remap keyboard shortcuts. CC ID 15133	Configuration	Preventive
Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116	Process or Activity	Preventive
Provide captions for live audio content. CC ID 15120	Configuration	Preventive
Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114	Configuration	Preventive
Provide labels or instructions when content requires user input. CC ID 15077	Configuration	Preventive
Allow users to control auto-updating information, as necessary. CC ID 15159	Configuration	Preventive
Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070	Configuration	Preventive
Display website content triggered by mouseover or keyboard focus. CC ID 15152	Configuration	Preventive
Ensure the purpose of links can be determined through the link text. CC ID 15157	Configuration	Preventive
Use a unique title that describes the topic or purpose for each web page. CC ID 15069	Configuration	Preventive
Allow the use of time limits, as necessary. CC ID 15155	Configuration	Preventive
Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944	Establish/Maintain Documentation	Preventive
Refrain from activating a change of context in a user interface component. CC ID 15115	Configuration	Preventive
Include functionality for managing user data in human interface guidelines. CC ID 14928	Establish/Maintain Documentation	Preventive
Establish and maintain User Interface documentation. CC ID 12204	Establish/Maintain Documentation	Preventive
Include system messages in human interface guidelines. CC ID 08663	Establish/Maintain Documentation	Preventive
Include measurable system performance requirements in the system design specification. CC ID 08667	Establish/Maintain Documentation	Preventive
Include the data structure in the system design specification. CC ID 08669	Establish/Maintain Documentation	Preventive
Include the input and output variables in the system design specification. CC ID 08670	Establish/Maintain Documentation	Preventive
Include data encryption information in the system design specification. CC ID 12209	Establish/Maintain Documentation	Preventive
Include records disposition information in the system design specification. CC ID 12208	Establish/Maintain Documentation	Preventive
Include how data is managed in each module in the system design specification. CC ID 12207	Establish/Maintain Documentation	Preventive
Include identifying restricted data in the system design specification. CC ID 12206	Establish/Maintain Documentation	Preventive
Assign appropriate parties to approve the system design specification. CC ID 13070	Human Resources Management	Preventive
Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468	Communicate	Preventive
Implement data controls when developing systems. CC ID 15302	Systems Design, Build, and Implementation	Preventive
Implement security controls when developing systems. CC ID 06270	Systems Design, Build, and Implementation	Preventive
Analyze and minimize attack surfaces when developing systems. CC ID 06828	Systems Design, Build, and Implementation	Preventive
Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083	Technical Security	Preventive
Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926	Technical Security	Preventive
Implement a hardware security module, as necessary. CC ID 12222	Systems Design, Build, and Implementation	Preventive
Audit all modifications to the application being developed. CC ID 01614	Testing	Detective
Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274	Systems Design, Build, and Implementation	Preventive
Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273	Systems Design, Build, and Implementation	Preventive
Design the random number generator to generate random numbers that are unpredictable. CC ID 12255	Systems Design, Build, and Implementation	Preventive
Design the hardware security module to enforce the separation between applications. CC ID 12254	Systems Design, Build, and Implementation	Preventive
Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253	Systems Design, Build, and Implementation	Preventive
Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233	Systems Design, Build, and Implementation	Preventive
Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252	Systems Design, Build, and Implementation	Preventive
Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251	Systems Design, Build, and Implementation	Preventive
Design the hardware security module to erase sensitive data when compromised. CC ID 12275	Systems Design, Build, and Implementation	Preventive
Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232	Systems Design, Build, and Implementation	Preventive
Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231	Systems Design, Build, and Implementation	Preventive
Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258	Establish/Maintain Documentation	Preventive
Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225	Systems Design, Build, and Implementation	Preventive
Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264	Establish/Maintain Documentation	Preventive
Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263	Establish/Maintain Documentation	Preventive
Include device identification in the acceptable use policy for the hardware security module. CC ID 12262	Establish/Maintain Documentation	Preventive
Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261	Establish/Maintain Documentation	Preventive
Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260	Establish/Maintain Documentation	Preventive
Install secret information into the hardware security module during manufacturing. CC ID 12249	Systems Design, Build, and Implementation	Preventive
Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272	Systems Design, Build, and Implementation	Preventive
Install secret information under dual control into the hardware security module. CC ID 12257	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain session security coding standards. CC ID 04584	Establish/Maintain Documentation	Preventive
Establish and maintain a cryptographic architecture document. CC ID 12476	Establish/Maintain Documentation	Preventive
Include the algorithms used in the cryptographic architecture document. CC ID 12483	Establish/Maintain Documentation	Preventive
Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486	Establish/Maintain Documentation	Preventive
Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484	Establish/Maintain Documentation	Preventive
Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487	Establish/Maintain Documentation	Preventive
Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488	Establish/Maintain Documentation	Preventive
Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489	Establish/Maintain Documentation	Preventive
Include the protocols used in the cryptographic architecture document. CC ID 12485	Establish/Maintain Documentation	Preventive
Establish and maintain a coding manual for secure coding techniques. CC ID 11863	Establish/Maintain Documentation	Preventive
Protect applications from improper access control through secure coding techniques in source code. CC ID 11959	Technical Security	Preventive
Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937	Technical Security	Preventive
Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936	Technical Security	Preventive
Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472	Systems Design, Build, and Implementation	Preventive
Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806	Technical Security	Preventive
Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805	Technical Security	Preventive
Refrain from hard-coding security parameters in source code. CC ID 14917	Systems Design, Build, and Implementation	Preventive
Refrain from hard-coding usernames in source code. CC ID 06561	Technical Security	Preventive
Refrain from hard-coding authenticators in source code. CC ID 11829	Technical Security	Preventive
Refrain from hard-coding cryptographic keys in source code. CC ID 12307	Technical Security	Preventive
Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944	Technical Security	Preventive
Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482	Systems Design, Build, and Implementation	Preventive
Control user account management through secure coding techniques in source code. CC ID 11909	Technical Security	Preventive
Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933	Technical Security	Preventive
Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943	Technical Security	Preventive
Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899	Process or Activity	Preventive
Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897	Process or Activity	Preventive
Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896	Process or Activity	Preventive
Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935	Technical Security	Preventive
Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895	Process or Activity	Preventive
Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049	Technical Security	Preventive
Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain secure update mechanisms. CC ID 14923	Systems Design, Build, and Implementation	Preventive
Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925	Systems Design, Build, and Implementation	Preventive
Automate secure update mechanisms, as necessary. CC ID 14933	Systems Design, Build, and Implementation	Preventive
Follow security design requirements when developing systems. CC ID 06827	Systems Design, Build, and Implementation	Preventive
Prevent unnecessary information from being added to client-side scripting languages. CC ID 07073	Data and Information Management	Preventive
Use randomly generated session identifiers. CC ID 07074	Technical Security	Preventive
Identify multi-project interfaces and dependencies. CC ID 06902	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a system implementation representation document. CC ID 04558	Establish/Maintain Documentation	Preventive
Include the source code in the implementation representation document. CC ID 13089	Establish/Maintain Documentation	Preventive
Include the hardware schematics in the implementation representation document. CC ID 13098	Establish/Maintain Documentation	Preventive
Design the security architecture. CC ID 06269	Systems Design, Build, and Implementation	Preventive
Limit the embedding of data types inside other data types. CC ID 06759	Technical Security	Preventive
Review and update the security architecture, as necessary. CC ID 14277	Establish/Maintain Documentation	Corrective
Design the privacy architecture. CC ID 14671	Systems Design, Build, and Implementation	Preventive
Review and update the privacy architecture, as necessary. CC ID 14674	Establish/Maintain Documentation	Preventive
Convert workflow charts and diagrams into machine readable code. CC ID 14865	Process or Activity	Preventive
Implement software development version controls. CC ID 01098	Systems Design, Build, and Implementation	Preventive
Protect system libraries. CC ID 01097	Technical Security	Preventive
Follow the system development process when upgrading a system. CC ID 01059	Systems Design, Build, and Implementation	Preventive
Protect application program libraries. CC ID 11762	Technical Security	Preventive
Conduct a design review at each milestone or quality gate. CC ID 01087	Systems Design, Build, and Implementation	Detective
Reassess the system design after the product has been tested. CC ID 01088	Testing	Detective
Include the Evaluation Assurance Levels in the system design specification. CC ID 04561	Establish/Maintain Documentation	Preventive
Approve the design methodology before moving forward on the system design project. CC ID 01060	Systems Design, Build, and Implementation	Preventive
Perform source code analysis at each milestone or quality gate. CC ID 06832	Systems Design, Build, and Implementation	Corrective
Identify and redesign unsafe functions when developing systems. CC ID 06831	Systems Design, Build, and Implementation	Preventive
Document the results of the source code analysis. CC ID 14310	Process or Activity	Detective
Monitor the development environment for when malicious code is discovered. CC ID 06396	Systems Design, Build, and Implementation	Detective
Establish and maintain system security documentation. CC ID 06271	Establish/Maintain Documentation	Preventive
Document the procedures and environment used to create the system or software. CC ID 06609 [{system development} Rules for the development of software and systems should be established and applied to developments within the organization. § 14.2.1 Control]	Establish/Maintain Documentation	Preventive
Transmit source code securely. CC ID 06397	Data and Information Management	Preventive
Digitally sign software components. CC ID 16490	Process or Activity	Preventive
Establish and maintain access rights to source code based upon least privilege. CC ID 06962 [Access to program source code should be restricted. § 9.4.5 Control]	Technical Security	Preventive
Perform Quality Management on all newly developed or modified systems. CC ID 01100	Testing	Detective
Establish, implement, and maintain a system testing policy. CC ID 01102	Establish/Maintain Documentation	Preventive
Configure the test environment similar to the production environment. CC ID 06837 [Organizations should establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. § 14.2.6 Control]	Configuration	Preventive
Establish, implement, and maintain system testing procedures. CC ID 11744	Establish/Maintain Documentation	Preventive
Protect test data in the development environment. CC ID 12014 [Test data should be selected carefully, protected and controlled. § 14.3.1 Control]	Technical Security	Preventive
Control the test data used in the development environment. CC ID 12013 [Test data should be selected carefully, protected and controlled. § 14.3.1 Control]	Systems Design, Build, and Implementation	Preventive
Select the test data carefully. CC ID 12011 [Test data should be selected carefully, protected and controlled. § 14.3.1 Control]	Systems Design, Build, and Implementation	Preventive
Test security functionality during the development process. CC ID 12015 [Testing of security functionality should be carried out during development. § 14.2.8 Control]	Testing	Preventive

Technical security

288

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Technical security CC ID 00508	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain an access control program. CC ID 11702	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain access control policies. CC ID 00512 [{business requirements} An access control policy should be established, documented and reviewed based on business and information security requirements. § 9.1.1 Control {business requirements} An access control policy should be established, documented and reviewed based on business and information security requirements. § 9.1.1 Control]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the access control policy. CC ID 14006	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the access control policy. CC ID 14005	Establish/Maintain Documentation	Preventive
Include management commitment in the access control policy. CC ID 14004	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the access control policy. CC ID 14003	Establish/Maintain Documentation	Preventive
Include the scope in the access control policy. CC ID 14002	Establish/Maintain Documentation	Preventive
Include the purpose in the access control policy. CC ID 14001	Establish/Maintain Documentation	Preventive
Document the business need justification for user accounts. CC ID 15490	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815	Establish/Maintain Documentation	Preventive
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513 [A formal user registration and de-registration process should be implemented to enable assignment of access rights. § 9.2.1 Control]	Establish/Maintain Documentation	Preventive
Implement safeguards to protect access credentials from unauthorized access. CC ID 16433	Technical Security	Preventive
Inventory all user accounts. CC ID 13732	Establish/Maintain Documentation	Preventive
Identify information system users. CC ID 12081	Technical Security	Detective
Review user accounts. CC ID 00525	Technical Security	Detective
Match user accounts to authorized parties. CC ID 12126	Configuration	Detective
Identify processes running on information systems that act on behalf of users. CC ID 12082	Technical Security	Detective
Establish and maintain contact information for user accounts, as necessary. CC ID 15418	Data and Information Management	Preventive
Review shared accounts. CC ID 11840	Technical Security	Detective
Control access rights to organizational assets. CC ID 00004 [The allocation and use of privileged access rights should be restricted and controlled. § 9.2.3 Control Access to information and application system functions should be restricted in accordance with the access control policy. § 9.4.1 Control]	Technical Security	Preventive
Configure access control lists in accordance with organizational standards. CC ID 16465	Configuration	Preventive
Add all devices requiring access control to the Access Control List. CC ID 06264	Establish/Maintain Documentation	Preventive
Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835	Technical Security	Preventive
Disallow application IDs from running as privileged users. CC ID 10050	Configuration	Detective
Define roles for information systems. CC ID 12454	Human Resources Management	Preventive
Define access needs for each role assigned to an information system. CC ID 12455	Human Resources Management	Preventive
Define access needs for each system component of an information system. CC ID 12456	Technical Security	Preventive
Define the level of privilege required for each system component of an information system. CC ID 12457	Technical Security	Preventive
Establish access rights based on least privilege. CC ID 01411 [The allocation and use of privileged access rights should be restricted and controlled. § 9.2.3 Control]	Technical Security	Preventive
Assign user permissions based on job responsibilities. CC ID 00538	Technical Security	Preventive
Assign user privileges after they have management sign off. CC ID 00542	Technical Security	Preventive
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 [Groups of information services, users and information systems should be segregated on networks. § 13.1.3 Control]	Configuration	Preventive
Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412	Technical Security	Preventive
Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822	Configuration	Preventive
Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818	Communicate	Corrective
Disallow unlocking user accounts absent system administrator approval. CC ID 01413	Technical Security	Preventive
Establish, implement, and maintain session lock capabilities. CC ID 01417	Configuration	Preventive
Limit concurrent sessions according to account type. CC ID 01416	Configuration	Preventive
Establish session authenticity through Transport Layer Security. CC ID 01627	Technical Security	Preventive
Configure the "tlsverify" argument to organizational standards. CC ID 14460	Configuration	Preventive
Configure the "tlscacert" argument to organizational standards. CC ID 14521	Configuration	Preventive
Configure the "tlscert" argument to organizational standards. CC ID 14520	Configuration	Preventive
Configure the "tlskey" argument to organizational standards. CC ID 14519	Configuration	Preventive
Enable access control for objects and users on each system. CC ID 04553 [Users should only be provided with access to the network and network services that they have been specifically authorized to use. § 9.1.2 Control]	Configuration	Preventive
Include all system components in the access control system. CC ID 11939	Technical Security	Preventive
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301	Process or Activity	Preventive
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850	Technical Security	Preventive
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical Security	Preventive
Enable role-based access control for objects and users on information systems. CC ID 12458	Technical Security	Preventive
Include the objects and users subject to access control in the security policy. CC ID 11836	Establish/Maintain Documentation	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Establish Roles	Preventive
Enforce access restrictions for change control. CC ID 01428	Technical Security	Preventive
Enforce access restrictions for restricted data. CC ID 01921	Data and Information Management	Preventive
Permit a limited set of user actions absent identification and authentication. CC ID 04849	Technical Security	Preventive
Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455	Testing	Detective
Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262	Technical Security	Preventive
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500	Establish/Maintain Documentation	Preventive
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501	Establish/Maintain Documentation	Preventive
Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770	Technical Security	Preventive
Display previous logon information in the logon banner. CC ID 01415	Configuration	Preventive
Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771	Establish/Maintain Documentation	Preventive
Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964	Technical Security	Preventive
Control user privileges. CC ID 11665	Technical Security	Preventive
Review all user privileges, as necessary. CC ID 06784 [Asset owners should review users’ access rights at regular intervals. § 9.2.5 Control]	Technical Security	Preventive
Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516	Behavior	Corrective
Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065	Configuration	Preventive
Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 [The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change. § 9.2.6 Control]	Behavior	Corrective
Review each user's access capabilities when their role changes. CC ID 00524	Technical Security	Preventive
Change authenticators after personnel status changes. CC ID 12284	Human Resources Management	Preventive
Establish and maintain a Digital Rights Management program. CC ID 07093	Establish/Maintain Documentation	Preventive
Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094	Technical Security	Preventive
Establish, implement, and maintain User Access Management procedures. CC ID 00514 [A formal user access provisioning process should be implemented to assign or revoke access rights for all user types to all systems and services. § 9.2.2 Control]	Technical Security	Preventive
Establish, implement, and maintain an authority for access authorization list. CC ID 06782	Establish/Maintain Documentation	Preventive
Review and approve logical access to all assets based upon organizational policies. CC ID 06641	Technical Security	Preventive
Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515	Technical Security	Preventive
Assign roles and responsibilities for administering user account management. CC ID 11900	Human Resources Management	Preventive
Automate access control methods, as necessary. CC ID 11838	Technical Security	Preventive
Automate Access Control Systems, as necessary. CC ID 06854	Technical Security	Preventive
Refrain from storing logon credentials for third party applications. CC ID 13690	Technical Security	Preventive
Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048	Technical Security	Preventive
Notify interested personnel when user accounts are added or deleted. CC ID 14327	Communicate	Detective
Remove inactive user accounts, as necessary. CC ID 00517	Technical Security	Corrective
Remove temporary user accounts, as necessary. CC ID 11839	Technical Security	Corrective
Establish, implement, and maintain a password policy. CC ID 16346	Establish/Maintain Documentation	Preventive
Enforce the password policy. CC ID 16347	Technical Security	Preventive
Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518	Establish/Maintain Documentation	Preventive
Limit superuser accounts to designated System Administrators. CC ID 06766	Configuration	Preventive
Enforce usage restrictions for superuser accounts. CC ID 07064	Technical Security	Preventive
Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526	Technical Security	Preventive
Protect and manage biometric systems and biometric data. CC ID 01261	Technical Security	Preventive
Establish, implement, and maintain biometric collection procedures. CC ID 15419	Establish/Maintain Documentation	Preventive
Document the business need justification for authentication data storage. CC ID 06325	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain access control procedures. CC ID 11663 [Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure. § 9.4.2 Control]	Establish/Maintain Documentation	Preventive
Implement out-of-band authentication, as necessary. CC ID 10606	Technical Security	Corrective
Grant access to authorized personnel or systems. CC ID 12186	Configuration	Preventive
Document approving and granting access in the access control log. CC ID 06786	Establish/Maintain Documentation	Preventive
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Communicate	Preventive
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171	Establish/Maintain Documentation	Preventive
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406	Establish/Maintain Documentation	Preventive
Include the date and time that access was reviewed in the system record. CC ID 16416	Data and Information Management	Preventive
Include the date and time that access rights were changed in the system record. CC ID 16415	Establish/Maintain Documentation	Preventive
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123	Communicate	Corrective
Identify and control all network access controls. CC ID 00529	Technical Security	Preventive
Establish, implement, and maintain a network configuration standard. CC ID 00530	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a network security policy. CC ID 06440 [Networks should be managed and controlled to protect information in systems and applications. § 13.1.1 Control]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the network security policy. CC ID 14205	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the network security policy. CC ID 14204	Establish/Maintain Documentation	Preventive
Include management commitment in the network security policy. CC ID 14203	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the network security policy. CC ID 14202	Establish/Maintain Documentation	Preventive
Include the scope in the network security policy. CC ID 14201	Establish/Maintain Documentation	Preventive
Include the purpose in the network security policy. CC ID 14200	Establish/Maintain Documentation	Preventive
Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199	Communicate	Preventive
Establish, implement, and maintain system and communications protection procedures. CC ID 14052	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206	Communicate	Preventive
Establish, implement, and maintain a wireless networking policy. CC ID 06732	Establish/Maintain Documentation	Preventive
Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443	Establish/Maintain Documentation	Preventive
Secure the Domain Name System. CC ID 00540	Configuration	Preventive
Implement segregation of duties. CC ID 11843 [Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. § 6.1.2 Control]	Technical Security	Preventive
Enforce information flow control. CC ID 11781 [{data transfer policies} {data transfer procedures} {data transfer controls} Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. § 13.2.1 Control]	Monitor and Evaluate Occurrences	Preventive
Monitor information flows for anomalies. CC ID 16365	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain information flow control configuration standards. CC ID 01924	Establish/Maintain Documentation	Preventive
Restrict traffic or information flow based on the node type. CC ID 16396	Technical Security	Preventive
Restrict traffic or information flow based on the destination address. CC ID 16378	Technical Security	Preventive
Restrict traffic or information flow based on the origination address. CC ID 16484	Technical Security	Preventive
Assign appropriate roles for enabling or disabling information flow controls. CC ID 06760	Establish Roles	Preventive
Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429	Testing	Preventive
Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629	Establish/Maintain Documentation	Preventive
Monitor and report on the organization's interconnectivity risk. CC ID 13172	Monitor and Evaluate Occurrences	Detective
Configure network flow monitoring to organizational standards. CC ID 16364	Configuration	Preventive
Perform content filtering scans on network traffic. CC ID 06761	Monitor and Evaluate Occurrences	Detective
Develop and implement a content filtering word and phrase library. CC ID 07071	Establish/Maintain Documentation	Preventive
Use content filtering scans to identify information flows by data type specification. CC ID 06762	Technical Security	Preventive
Use content filtering scans to identify information flows by data type usage. CC ID 11818	Technical Security	Preventive
Take appropriate action to address information flow anomalies. CC ID 12164	Investigate	Corrective
Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163	Investigate	Detective
Prevent encrypted data from bypassing content filtering mechanisms. CC ID 06758	Technical Security	Preventive
Perform content filtering scans on incoming and outgoing e-mail. CC ID 06733	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists. CC ID 12128	Technical Security	Preventive
Establish, implement, and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information. CC ID 06734	Data and Information Management	Detective
Constrain the information flow of restricted data or restricted information. CC ID 06763	Data and Information Management	Preventive
Quarantine data that fails security tests. CC ID 16500	Data and Information Management	Corrective
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453	Data and Information Management	Preventive
Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725	Data and Information Management	Preventive
Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310	Data and Information Management	Preventive
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [{data transfer policies} {data transfer procedures} {data transfer controls} Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. § 13.2.1 Control]	Establish/Maintain Documentation	Preventive
Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923	Data and Information Management	Preventive
Establish, implement, and maintain a document printing policy. CC ID 14384	Establish/Maintain Documentation	Preventive
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information flow procedures. CC ID 04542 [{data transfer policies} {data transfer procedures} {data transfer controls} Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. § 13.2.1 Control]	Establish/Maintain Documentation	Preventive
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242	Data and Information Management	Preventive
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243	Data and Information Management	Preventive
Establish, implement, and maintain information exchange procedures. CC ID 11782	Establish/Maintain Documentation	Preventive
Perform content sanitization on data-in-transit. CC ID 16512	Data and Information Management	Preventive
Perform content conversion on data-in-transit. CC ID 16510	Data and Information Management	Preventive
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499	Data and Information Management	Preventive
Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554	Data and Information Management	Preventive
Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859	Data and Information Management	Preventive
Review and approve information exchange system connections. CC ID 07143	Technical Security	Preventive
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312	Log Management	Preventive
Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104	Technical Security	Preventive
Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107	Technical Security	Preventive
Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097	Establish/Maintain Documentation	Preventive
Revoke membership in the whitelist, as necessary. CC ID 13827	Establish/Maintain Documentation	Corrective
Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183	Configuration	Preventive
Block uncategorized sites using URL filtering. CC ID 12140	Technical Security	Preventive
Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139	Technical Security	Detective
Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234	Data and Information Management	Preventive
Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780	Establish/Maintain Documentation	Preventive
Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094	Behavior	Preventive
Control all methods of remote access and teleworking. CC ID 00559 [A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites. § 6.2.2 Control]	Technical Security	Preventive
Assign virtual escorting to authorized personnel. CC ID 16440	Process or Activity	Preventive
Establish, implement, and maintain a remote access and teleworking program. CC ID 04545 [A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites. § 6.2.2 Control]	Establish/Maintain Documentation	Preventive
Include information security requirements in the remote access and teleworking program. CC ID 15704	Establish/Maintain Documentation	Preventive
Refrain from allowing remote users to copy files to remote devices. CC ID 06792	Technical Security	Preventive
Control remote administration in accordance with organizational standards. CC ID 04459	Configuration	Preventive
Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560	Testing	Detective
Control remote access through a network access control. CC ID 01421	Technical Security	Preventive
Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371	Configuration	Preventive
Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324	Technical Security	Preventive
Employ multifactor authentication for remote access to the organization's network. CC ID 12505	Technical Security	Preventive
Implement multifactor authentication techniques. CC ID 00561	Configuration	Preventive
Document and approve requests to bypass multifactor authentication. CC ID 15464	Establish/Maintain Documentation	Preventive
Limit the source addresses from which remote administration is performed. CC ID 16393	Technical Security	Preventive
Protect remote access accounts with encryption. CC ID 00562	Configuration	Preventive
Monitor and evaluate all remote access usage. CC ID 00563	Monitor and Evaluate Occurrences	Detective
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations. § 18.1.5 Control]	Technical Security	Preventive
Comply with the encryption laws of the local country. CC ID 16377	Business Processes	Preventive
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542	Establish/Maintain Documentation	Preventive
Define the cryptographic boundaries. CC ID 06543	Establish/Maintain Documentation	Preventive
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544	Establish/Maintain Documentation	Preventive
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545	Establish/Maintain Documentation	Preventive
Implement the documented cryptographic module security functions. CC ID 06755	Data and Information Management	Preventive
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547	Establish/Maintain Documentation	Preventive
Document the operation of the cryptographic module. CC ID 06546	Establish/Maintain Documentation	Preventive
Employ cryptographic controls that comply with applicable requirements. CC ID 12491	Technical Security	Preventive
Establish, implement, and maintain digital signatures. CC ID 13828	Data and Information Management	Preventive
Include the expiration date in digital signatures. CC ID 13833	Data and Information Management	Preventive
Include audience restrictions in digital signatures. CC ID 13834	Data and Information Management	Preventive
Include the subject in digital signatures. CC ID 13832	Data and Information Management	Preventive
Include the issuer in digital signatures. CC ID 13831	Data and Information Management	Preventive
Include identifiers in the digital signature. CC ID 13829	Data and Information Management	Preventive
Generate and protect a secret random number for each digital signature. CC ID 06577	Establish/Maintain Documentation	Preventive
Establish the security strength requirements for the digital signature process. CC ID 06578	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 [A policy on the use of cryptographic controls for protection of information should be developed and implemented. § 10.1.1 Control A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle. § 10.1.2 Control]	Establish/Maintain Documentation	Preventive
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823	Configuration	Preventive
Encrypt in scope data or in scope information, as necessary. CC ID 04824	Data and Information Management	Preventive
Digitally sign records and data, as necessary. CC ID 16507	Data and Information Management	Preventive
Make key usage for data fields unique for each device. CC ID 04828	Technical Security	Preventive
Decrypt restricted data for the minimum time required. CC ID 12308	Data and Information Management	Preventive
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309	Data and Information Management	Preventive
Accept only trusted keys and/or certificates. CC ID 11988	Technical Security	Preventive
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575	Data and Information Management	Preventive
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584	Process or Activity	Preventive
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585	Process or Activity	Preventive
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476	Communicate	Preventive
Define the format of the biometric data on identification cards or badges. CC ID 06586	Process or Activity	Preventive
Protect salt values and hash values in accordance with organizational standards. CC ID 16471	Data and Information Management	Preventive
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040	Establish/Maintain Documentation	Preventive
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477	Communicate	Preventive
Establish, implement, and maintain encryption management procedures. CC ID 15475	Establish/Maintain Documentation	Preventive
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470	Establish Roles	Preventive
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571	Establish/Maintain Documentation	Preventive
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164	Communicate	Preventive
Bind keys to each identity. CC ID 12337	Technical Security	Preventive
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152	Establish/Maintain Documentation	Preventive
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151	Establish/Maintain Documentation	Preventive
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301	Data and Information Management	Preventive
Generate strong cryptographic keys. CC ID 01299	Data and Information Management	Preventive
Generate unique cryptographic keys for each user. CC ID 12169	Technical Security	Preventive
Use approved random number generators for creating cryptographic keys. CC ID 06574	Data and Information Management	Preventive
Implement decryption keys so that they are not linked to user accounts. CC ID 06851	Technical Security	Preventive
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540	Establish/Maintain Documentation	Preventive
Disseminate and communicate cryptographic keys securely. CC ID 01300	Data and Information Management	Preventive
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541	Data and Information Management	Preventive
Store cryptographic keys securely. CC ID 01298	Data and Information Management	Preventive
Restrict access to cryptographic keys. CC ID 01297	Data and Information Management	Preventive
Store cryptographic keys in encrypted format. CC ID 06084	Data and Information Management	Preventive
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085	Technical Security	Preventive
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127	Establish/Maintain Documentation	Preventive
Change cryptographic keys in accordance with organizational standards. CC ID 01302	Data and Information Management	Preventive
Destroy cryptographic keys promptly after the retention period. CC ID 01303	Data and Information Management	Preventive
Control cryptographic keys with split knowledge and dual control. CC ID 01304	Data and Information Management	Preventive
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305	Data and Information Management	Preventive
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852	Technical Security	Preventive
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307	Data and Information Management	Corrective
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306	Data and Information Management	Corrective
Archive outdated cryptographic keys. CC ID 06884	Data and Information Management	Preventive
Archive revoked cryptographic keys. CC ID 11819	Data and Information Management	Preventive
Require key custodians to sign the cryptographic key management policy. CC ID 01308	Establish/Maintain Documentation	Preventive
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820	Human Resources Management	Preventive
Test cryptographic key management applications, as necessary. CC ID 04829	Testing	Detective
Manage the digital signature cryptographic key pair. CC ID 06576	Data and Information Management	Preventive
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079	Establish/Maintain Documentation	Preventive
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725	Establish Roles	Preventive
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080	Establish/Maintain Documentation	Preventive
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081	Establish/Maintain Documentation	Preventive
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082	Establish/Maintain Documentation	Preventive
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083	Establish/Maintain Documentation	Preventive
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816	Establish/Maintain Documentation	Preventive
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092	Technical Security	Preventive
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084	Technical Security	Preventive
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085	Establish/Maintain Documentation	Preventive
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817	Establish/Maintain Documentation	Preventive
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087	Establish/Maintain Documentation	Preventive
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086	Establish/Maintain Documentation	Preventive
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091	Technical Security	Preventive
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090	Records Management	Preventive
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153	Technical Security	Preventive
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154	Technical Security	Preventive
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564	Technical Security	Preventive
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749	Configuration	Preventive
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492	Technical Security	Preventive
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490	Technical Security	Preventive
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566	Establish/Maintain Documentation	Preventive
Implement non-repudiation for transactions. CC ID 00567	Testing	Detective
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416	Technical Security	Preventive
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568	Technical Security	Preventive
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]	Technical Security	Preventive
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]	Technical Security	Preventive
Protect application services information transmitted over a public network from contract disputes. CC ID 12019 [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]	Technical Security	Preventive
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]	Technical Security	Preventive
Establish, implement, and maintain a malicious code protection program. CC ID 00574	Establish/Maintain Documentation	Preventive
Install security and protection software, as necessary. CC ID 00575 [{detection controls} {prevention controls} Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness. § 12.2.1 Control {detection controls} {prevention controls} Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness. § 12.2.1 Control {detection controls} {prevention controls} Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness. § 12.2.1 Control]	Configuration	Preventive
Install and maintain container security solutions. CC ID 16178	Technical Security	Preventive

Third Party and supply chain oversight

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Third Party and supply chain oversight CC ID 08807	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a supply chain management program. CC ID 11742	Establish/Maintain Documentation	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information. § 15.1.2 Control]	Process or Activity	Detective
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615	Establish/Maintain Documentation	Preventive
Include a description of the product or service to be provided in third party contracts. CC ID 06509	Establish/Maintain Documentation	Preventive
Include a description of the products or services fees in third party contracts. CC ID 10018	Establish/Maintain Documentation	Preventive
Include which parties are responsible for which fees in third party contracts. CC ID 10019	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 [{information flow agreement} {establish} Agreements should address the secure transfer of business information between the organization and external parties. § 13.2.2 Control]	Establish/Maintain Documentation	Preventive
Include the type of information being transmitted in the information flow agreement. CC ID 14245	Establish/Maintain Documentation	Preventive
Include the security requirements in the information flow agreement. CC ID 14244	Establish/Maintain Documentation	Preventive
Include the interface characteristics in the information flow agreement. CC ID 14240	Establish/Maintain Documentation	Preventive
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528	Establish/Maintain Documentation	Preventive
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529	Establish/Maintain Documentation	Preventive
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020	Establish/Maintain Documentation	Preventive
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Establish/Maintain Documentation	Preventive
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information. § 15.1.2 Control]	Business Processes	Preventive
Include text about data ownership in third party contracts. CC ID 06502	Establish/Maintain Documentation	Preventive
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503	Establish/Maintain Documentation	Preventive
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402	Establish/Maintain Documentation	Preventive
Include the contract duration in third party contracts. CC ID 16221	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in third party contracts. CC ID 13487	Establish/Maintain Documentation	Preventive
Include cryptographic keys in third party contracts. CC ID 16179	Establish/Maintain Documentation	Preventive
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646	Establish/Maintain Documentation	Preventive
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented. § 15.1.1 Control]	Establish/Maintain Documentation	Preventive
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507	Establish/Maintain Documentation	Preventive
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508	Establish/Maintain Documentation	Preventive
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513	Establish/Maintain Documentation	Preventive
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515	Establish/Maintain Documentation	Preventive
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504	Establish/Maintain Documentation	Preventive
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518	Establish/Maintain Documentation	Preventive
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525	Establish/Maintain Documentation	Preventive
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530	Establish/Maintain Documentation	Preventive
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413	Establish/Maintain Documentation	Preventive
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531	Establish/Maintain Documentation	Preventive
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878	Establish/Maintain Documentation	Preventive
Include a reporting structure in third party contracts. CC ID 06532	Establish/Maintain Documentation	Preventive
Include points of contact in third party contracts. CC ID 12355	Establish/Maintain Documentation	Preventive
Include financial reporting in third party contracts, as necessary. CC ID 13573	Establish/Maintain Documentation	Preventive
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512	Establish/Maintain Documentation	Preventive
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514	Establish/Maintain Documentation	Preventive
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516	Establish/Maintain Documentation	Preventive
Include training requirements in third party contracts. CC ID 16367	Acquisition/Sale of Assets or Services	Preventive
Include an indemnification and liability clause in third party contracts. CC ID 06517	Establish/Maintain Documentation	Preventive
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521	Establish/Maintain Documentation	Preventive
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522	Establish/Maintain Documentation	Preventive
Include text regarding foreign-based third parties in third party contracts. CC ID 06722	Establish/Maintain Documentation	Preventive
Include change control clauses in third party contracts, as necessary. CC ID 06523 [Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. § 15.2.2 Control]	Establish/Maintain Documentation	Preventive
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115	Establish/Maintain Documentation	Preventive
Include triggers for renegotiating the contract in third party contracts. CC ID 06527	Establish/Maintain Documentation	Preventive
Include change control notification processes in third party contracts. CC ID 06524	Establish/Maintain Documentation	Preventive
Include cost structure changes in third party contracts. CC ID 10021	Establish/Maintain Documentation	Preventive
Include a choice of venue clause in third party contracts. CC ID 06520	Establish/Maintain Documentation	Preventive
Include a dispute resolution clause in third party contracts. CC ID 06519	Establish/Maintain Documentation	Preventive
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813	Establish/Maintain Documentation	Preventive
Include a termination provision clause in third party contracts. CC ID 01367	Establish/Maintain Documentation	Detective
Include early termination contingency plans in the third party contracts. CC ID 06526	Establish/Maintain Documentation	Preventive
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817	Establish/Maintain Documentation	Preventive
Include termination costs in third party contracts. CC ID 10023	Establish/Maintain Documentation	Preventive
Include text about obtaining adequate insurance in third party contracts. CC ID 06880	Establish/Maintain Documentation	Preventive
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214	Establish/Maintain Documentation	Preventive
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026	Establish/Maintain Documentation	Preventive
Include end-of-life information in third party contracts. CC ID 15265	Establish/Maintain Documentation	Preventive
Include third party requirements for personnel security in third party contracts. CC ID 00790	Testing	Detective
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791	Establish/Maintain Documentation	Preventive
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364	Testing	Detective
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Testing	Detective
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Establish/Maintain Documentation	Preventive
Establish the third party's service continuity. CC ID 00797	Testing	Detective
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Testing	Detective
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264	Data and Information Management	Detective
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Testing	Detective
Include disclosure requirements in third party contracts. CC ID 08825	Business Processes	Preventive
Include requirements for alternate processing facilities in third party contracts. CC ID 13059	Establish/Maintain Documentation	Preventive
Include risk management procedures in the supply chain management policy. CC ID 08811	Establish/Maintain Documentation	Preventive
Perform risk assessments of third parties, as necessary. CC ID 06454	Testing	Detective
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented. § 15.1.1 Control Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. § 15.1.3 Control]	Establish/Maintain Documentation	Preventive
Conduct all parts of the supply chain due diligence process. CC ID 08854	Business Processes	Preventive
Assess third parties' compliance environment during due diligence. CC ID 13134	Process or Activity	Detective
Request attestation of compliance from third parties. CC ID 12067	Establish/Maintain Documentation	Detective
Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [Organizations should regularly monitor, review and audit supplier service delivery. § 15.2.1 Control]	Business Processes	Preventive
Assess the effectiveness of third party services provided to the organization. CC ID 13142	Business Processes	Detective
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [Organizations should regularly monitor, review and audit supplier service delivery. § 15.2.1 Control]	Monitor and Evaluate Occurrences	Detective
Monitor third parties' financial conditions. CC ID 13170	Monitor and Evaluate Occurrences	Detective
Review the supply chain's service delivery on a regular basis. CC ID 12010 [Organizations should regularly monitor, review and audit supplier service delivery. § 15.2.1 Control]	Business Processes	Preventive

Common Controls and
mandates by Type 160 Mandated Controls - bold
127 Implied Controls - italic 2483 Implementation

Number of Controls

2770 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Operational and Systems Continuity	Preventive
Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698	Operational management	Preventive
Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833	Operational management	Preventive
Acquire products or services. CC ID 11450	Acquisition or sale of facilities, technology, and services	Preventive
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Preventive
Include training requirements in third party contracts. CC ID 16367	Third Party and supply chain oversight	Preventive

Actionable Reports or Measurements

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitor and evaluate system telemetry data. CC ID 14929	Monitoring and measurement	Detective
Measure policy compliance when reviewing the internal control framework. CC ID 06442 [{security standards} Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. § 18.2.2 Control {security standards} Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. § 18.2.2 Control]	Operational management	Corrective

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Address operational anomalies within the incident management system. CC ID 11633	Monitoring and measurement	Preventive
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634	Monitoring and measurement	Preventive
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424	Monitoring and measurement	Preventive
Include third party assets in the audit scope. CC ID 16504	Audits and risk management	Preventive
Determine the appropriateness of the audit subject matter. CC ID 16505	Audits and risk management	Preventive
Include the in scope material or in scope products in the audit program. CC ID 08961	Audits and risk management	Preventive
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795	Audits and risk management	Preventive
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and risk management	Preventive
Analyze and quantify the risks to in scope systems and information. CC ID 00701	Audits and risk management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703	Audits and risk management	Preventive
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]	Audits and risk management	Detective

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035	Monitoring and measurement	Preventive
Do not intercept communications of any kind when providing a service to clients. CC ID 09985	Monitoring and measurement	Preventive
Establish, implement, and maintain a testing program. CC ID 00654	Monitoring and measurement	Preventive
Exercise due professional care during the planning and performance of the audit. CC ID 07119 [Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes. § 12.7.1 Control]	Audits and risk management	Preventive
Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516	Technical security	Corrective
Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 [The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change. § 9.2.6 Control]	Technical security	Corrective
Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094	Technical security	Preventive
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Physical and environmental protection	Preventive
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Physical and environmental protection	Preventive
Manage constituent identification inside the facility. CC ID 02215	Physical and environmental protection	Preventive
Issue visitor identification badges to all non-employees. CC ID 00543	Physical and environmental protection	Preventive
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Physical and environmental protection	Preventive
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649	Physical and environmental protection	Preventive
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980	Physical and environmental protection	Preventive
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981	Physical and environmental protection	Preventive
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983	Physical and environmental protection	Preventive
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984	Physical and environmental protection	Preventive
Require the return of all assets upon notification an individual is terminated. CC ID 06679 [{require} All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract or agreement. § 8.1.4 Control]	Physical and environmental protection	Preventive
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Operational and Systems Continuity	Preventive
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677	Human Resources management	Preventive
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Human Resources management	Preventive
Train all personnel and third parties, as necessary. CC ID 00785 [{security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control {security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control]	Human Resources management	Preventive
Retrain all personnel, as necessary. CC ID 01362 [{security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control {security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control]	Human Resources management	Preventive
Tailor training to meet published guidance on the subject being taught. CC ID 02217	Human Resources management	Preventive
Tailor training to be taught at each person's level of responsibility. CC ID 06674	Human Resources management	Preventive
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Human Resources management	Preventive
Use automated mechanisms in the training environment, where appropriate. CC ID 06752	Human Resources management	Preventive
Conduct Archives and Records Management training. CC ID 00975	Human Resources management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Human Resources management	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [Employees and contractors using the organization’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services. § 16.1.3 Control]	Human Resources management	Preventive
Conduct secure coding and development training for developers. CC ID 06822	Human Resources management	Corrective
Conduct crime prevention training. CC ID 06350	Human Resources management	Preventive
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [{implement} There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. § 7.2.3 Control]	Human Resources management	Corrective
Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400	Operational management	Preventive
Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388	Operational management	Preventive
Respond to maintenance requests inside the organizationally established time frame. CC ID 04878	Operational management	Preventive
Perform periodic maintenance according to organizational standards. CC ID 01435	Operational management	Preventive
Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213 [Appropriate contacts with relevant authorities should be maintained. § 6.1.3 Control]	Operational management	Preventive
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807	Operational management	Preventive
Disseminate and communicate software update information to users and regulators. CC ID 06602	Operational management	Preventive
Notify affected parties to keep authenticators confidential. CC ID 06787	System hardening through configuration management	Preventive
Discourage affected parties from recording authenticators. CC ID 06788	System hardening through configuration management	Preventive
Train the affected users during system development life cycle projects. CC ID 01091	Systems design, build, and implementation	Preventive
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943	Privacy protection for information and data	Preventive
Notify the supervisory authority. CC ID 00472	Privacy protection for information and data	Preventive
Notify the data subject of the collection purpose. CC ID 00095	Privacy protection for information and data	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Privacy protection for information and data	Preventive
Notify the data subject of changes to personal data use. CC ID 00105	Privacy protection for information and data	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832	Privacy protection for information and data	Preventive
Respond to data access requests in a timely manner. CC ID 00421	Privacy protection for information and data	Preventive
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422	Privacy protection for information and data	Detective
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Privacy protection for information and data	Detective
Notify the data subject after personal data is used or disclosed. CC ID 06247	Privacy protection for information and data	Preventive
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132	Privacy protection for information and data	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Privacy protection for information and data	Preventive
Notify the data subject of the source of collected personal data. CC ID 00083	Privacy protection for information and data	Preventive
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Privacy protection for information and data	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Privacy protection for information and data	Preventive
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Detective
Notify data subjects when their personal data is transferred. CC ID 00352	Privacy protection for information and data	Preventive
Follow the instructions of the data transferrer. CC ID 00334	Privacy protection for information and data	Preventive
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350	Privacy protection for information and data	Preventive
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Privacy protection for information and data	Preventive
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478	Privacy protection for information and data	Corrective
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Privacy protection for information and data	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Corrective
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Privacy protection for information and data	Corrective
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467	Privacy protection for information and data	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Detective
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Privacy protection for information and data	Detective
Investigate privacy rights violation complaints in private. CC ID 00492	Privacy protection for information and data	Detective
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Privacy protection for information and data	Detective
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Privacy protection for information and data	Detective
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481	Privacy protection for information and data	Preventive
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Privacy protection for information and data	Preventive
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Privacy protection for information and data	Corrective
Order the organization to change to be in compliance with applicable law. CC ID 00499	Privacy protection for information and data	Corrective
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Privacy protection for information and data	Corrective
Award damages based on applicable law. CC ID 00501	Privacy protection for information and data	Corrective
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Privacy protection for information and data	Preventive

Business Processes

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Review the organization's approach to managing information security, as necessary. CC ID 12005 [The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur. § 18.2.1 Control]	Leadership and high level objectives	Preventive
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. § 8.1.1 Control All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control]	Leadership and high level objectives	Preventive
Comply with the encryption laws of the local country. CC ID 16377	Technical security	Preventive
Include an appeal process in the identification issuance procedures. CC ID 15428	Physical and environmental protection	Preventive
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982	Physical and environmental protection	Preventive
Transport restricted media using a delivery method that can be tracked. CC ID 11777	Physical and environmental protection	Preventive
Require users to refrain from leaving mobile devices unattended. CC ID 16446	Physical and environmental protection	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671	Human Resources management	Preventive
Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617 [The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. § 12.1.3 Control]	Operational management	Preventive
Align critical I