Back

International > International Organization for Standardization

ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition



AD ID

0002421

AD STATUS

ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

For Purchase

SYNONYMS

ISO/IEC 27002:2013(E)

ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls

EFFECTIVE

2013-10-01

ADDED

The document as a whole was last reviewed and released on 2016-11-18T00:00:00-0800.

AD ID

0002421

AD STATUS

For Purchase

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO/IEC 27002:2013(E)

ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls

EFFECTIVE

2013-10-01

ADDED

The document as a whole was last reviewed and released on 2016-11-18T00:00:00-0800.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
160 Mandated Controls - bold    
127 Implied Controls - italic     2508 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
2795 Total
  • Acquisition or sale of facilities, technology, and services
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 Business Processes Preventive
    Establish, implement, and maintain an electronic commerce program. CC ID 08617 Business Processes Preventive
    Establish, implement, and maintain payment transaction security measures. CC ID 13088 Technical Security Preventive
    Protect the integrity of application service transactions. CC ID 12017
    [Information involved in application service transactions should be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. § 14.1.3 Control]
    Business Processes Preventive
    Acquire products or services. CC ID 11450 Acquisition/Sale of Assets or Services Preventive
    Discourage the modification of vendor-supplied software. CC ID 12016
    [Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. § 14.2.4 Control]
    Process or Activity Preventive
  • Audits and risk management
    67
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain an audit program. CC ID 00684 Establish/Maintain Documentation Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes. § 12.7.1 Control]
    Behavior Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965
    [Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes. § 12.7.1 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 Establish/Maintain Documentation Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and Risk Management Preventive
    Include audit subject matter in the audit program. CC ID 07103 Establish/Maintain Documentation Preventive
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Investigate Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Establish/Maintain Documentation Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Establish/Maintain Documentation Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Establish/Maintain Documentation Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and Risk Management Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Establish/Maintain Documentation Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and Risk Management Preventive
    Include in scope information in the audit program. CC ID 16198 Establish/Maintain Documentation Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Establish/Maintain Documentation Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Establish/Maintain Documentation Preventive
    Include the date of the audit in the representation letter. CC ID 16517 Audits and Risk Management Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Establish/Maintain Documentation Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Establish/Maintain Documentation Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Establish/Maintain Documentation Preventive
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Establish/Maintain Documentation Preventive
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Establish/Maintain Documentation Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Establish/Maintain Documentation Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Establish/Maintain Documentation Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Establish/Maintain Documentation Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Establish/Maintain Documentation Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Establish/Maintain Documentation Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Establish/Maintain Documentation Preventive
    Establish and maintain audit assertions, as necessary. CC ID 14871 Establish/Maintain Documentation Detective
    Include an in scope system description in the audit assertion. CC ID 14872 Establish/Maintain Documentation Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Establish/Maintain Documentation Preventive
    Include investigations and legal proceedings in the audit assertion. CC ID 16846 Establish/Maintain Documentation Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Establish/Maintain Documentation Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Establish/Maintain Documentation Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Establish/Maintain Documentation Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Establish/Maintain Documentation Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Establish/Maintain Documentation Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Establish/Maintain Documentation Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Establish/Maintain Documentation Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Establish/Maintain Documentation Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Establish/Maintain Documentation Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Establish/Maintain Documentation Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Establish/Maintain Documentation Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Establish/Maintain Documentation Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Establish/Maintain Documentation Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Establish/Maintain Documentation Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Establish/Maintain Documentation Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Communicate Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Establish/Maintain Documentation Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Establish/Maintain Documentation Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and Risk Management Preventive
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 Establish/Maintain Documentation Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Establish/Maintain Documentation Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Establish/Maintain Documentation Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Establish/Maintain Documentation Corrective
    Establish, implement, and maintain a risk management program. CC ID 12051 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and Risk Management Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701 Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and Risk Management Preventive
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467
    [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]
    Audits and Risk Management Detective
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]
    Establish/Maintain Documentation Corrective
    Review and approve the risk assessment findings. CC ID 06485 Establish/Maintain Documentation Preventive
  • Human Resources management
    113
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a personnel management program. CC ID 14018 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 Testing Detective
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758
    [Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. § 7.1.1 Control
    Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. § 7.1.1 Control]
    Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549
    [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. § 7.3.1 Control]
    Establish/Maintain Documentation Preventive
    Terminate user accounts when notified that an individual is terminated. CC ID 11614 Technical Security Corrective
    Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826
    [The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change. § 9.2.6 Control]
    Technical Security Corrective
    Assign an owner of the personnel status change and termination procedures. CC ID 11805 Human Resources Management Preventive
    Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 Data and Information Management Corrective
    Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 Human Resources Management Preventive
    Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 Behavior Preventive
    Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630
    [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. § 7.3.1 Control]
    Communicate Preventive
    Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992
    [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. § 7.3.1 Control]
    Human Resources Management Preventive
    Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 Human Resources Management Corrective
    Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 Behavior Preventive
    Conduct exit interviews upon termination of employment. CC ID 14290 Human Resources Management Preventive
    Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 Establish/Maintain Documentation Preventive
    Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 Human Resources Management Detective
    Train all personnel and third parties, as necessary. CC ID 00785
    [{security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control
    {security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control]
    Behavior Preventive
    Establish, implement, and maintain an education methodology. CC ID 06671 Business Processes Preventive
    Support certification programs as viable training programs. CC ID 13268 Human Resources Management Preventive
    Include evidence of experience in applications for professional certification. CC ID 16193 Establish/Maintain Documentation Preventive
    Include supporting documentation in applications for professional certification. CC ID 16195 Establish/Maintain Documentation Preventive
    Submit applications for professional certification. CC ID 16192 Training Preventive
    Retrain all personnel, as necessary. CC ID 01362
    [{security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control
    {security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control]
    Behavior Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Behavior Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674 Behavior Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Behavior Preventive
    Document all training in a training record. CC ID 01423 Establish/Maintain Documentation Detective
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Behavior Preventive
    Conduct tests and evaluate training. CC ID 06672 Testing Detective
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources Management Preventive
    Review the current published guidance and awareness and training programs. CC ID 01245 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain training plans. CC ID 00828 Establish/Maintain Documentation Preventive
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Training Detective
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Training Preventive
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Training Preventive
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Training Detective
    Develop or acquire content to update the training plans. CC ID 12867 Training Preventive
    Designate training facilities in the training plan. CC ID 16200 Training Preventive
    Include portions of the visitor control program in the training plan. CC ID 13287 Establish/Maintain Documentation Preventive
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources Management Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Training Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources Management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Training Preventive
    Include risk management in the training plan, as necessary. CC ID 13040 Training Preventive
    Conduct Archives and Records Management training. CC ID 00975 Behavior Preventive
    Conduct personal data processing training. CC ID 13757 Training Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Training Preventive
    Include the cloud service usage standard in the training plan. CC ID 13039 Training Preventive
    Establish, implement, and maintain a security awareness program. CC ID 11746 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Communicate Preventive
    Include management commitment in the security awareness and training policy. CC ID 14049 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Establish/Maintain Documentation Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Establish/Maintain Documentation Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Establish/Maintain Documentation Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Establish/Maintain Documentation Preventive
    Include media protection in the security awareness program. CC ID 16368 Training Preventive
    Document security awareness requirements. CC ID 12146 Establish/Maintain Documentation Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Establish/Maintain Documentation Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Establish/Maintain Documentation Preventive
    Include physical security in the security awareness program. CC ID 16369 Training Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Establish/Maintain Documentation Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Training Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Training Preventive
    Include implications of non-compliance in the security awareness program. CC ID 16425 Training Preventive
    Include the acceptable use policy in the security awareness program. CC ID 15487 Training Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Establish/Maintain Documentation Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Establish/Maintain Documentation Preventive
    Include remote access in the security awareness program. CC ID 13892 Establish/Maintain Documentation Preventive
    Document the goals of the security awareness program. CC ID 12145 Establish/Maintain Documentation Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Establish/Maintain Documentation Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources Management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources Management Preventive
    Document the scope of the security awareness program. CC ID 12148 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness baseline. CC ID 12147 Establish/Maintain Documentation Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources Management Preventive
    Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 Behavior Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211
    [Employees and contractors using the organization’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services. § 16.1.3 Control]
    Behavior Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Training Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363
    [Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. § 7.2.1 Control]
    Establish/Maintain Documentation Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 Establish/Maintain Documentation Preventive
    Conduct secure coding and development training for developers. CC ID 06822 Behavior Corrective
    Conduct tampering prevention training. CC ID 11875 Training Preventive
    Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Training Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Training Preventive
    Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 Training Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Training Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Training Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Training Preventive
    Conduct crime prevention training. CC ID 06350 Behavior Preventive
    Analyze and evaluate training records to improve the training program. CC ID 06380 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a Code of Conduct. CC ID 04897 Establish/Maintain Documentation Preventive
    Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029
    [The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security. § 7.1.2 Control]
    Human Resources Management Preventive
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [{implement} There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. § 7.2.3 Control]
    Behavior Corrective
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 Communicate Preventive
  • Leadership and high level objectives
    35
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Analyze organizational objectives, functions, and activities. CC ID 00598 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain organizational objectives. CC ID 09959 Establish/Maintain Documentation Preventive
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 Establish/Maintain Documentation Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005
    [The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur. § 18.2.1 Control]
    Business Processes Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Establish/Maintain Documentation Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997
    [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]
    Data and Information Management Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996
    [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]
    Data and Information Management Preventive
    Classify the value of information in the information classification standard. CC ID 11995
    [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]
    Data and Information Management Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994
    [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]
    Data and Information Management Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Establish/Maintain Documentation Preventive
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688
    [Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. § 8.1.1 Control
    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control
    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control]
    Business Processes Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Establish/Maintain Documentation Preventive
    Establish and maintain an Authority Document list. CC ID 07113
    [All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control
    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control]
    Establish/Maintain Documentation Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Establish/Maintain Documentation Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 Establish/Maintain Documentation Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Communicate Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Establish/Maintain Documentation Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Establish/Maintain Documentation Preventive
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Establish/Maintain Documentation Preventive
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Establish/Maintain Documentation Preventive
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Establish/Maintain Documentation Corrective
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Establish/Maintain Documentation Preventive
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Establish/Maintain Documentation Preventive
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Establish/Maintain Documentation Preventive
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Establish/Maintain Documentation Preventive
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Establish/Maintain Documentation Detective
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Establish Roles Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Establish Roles Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765 Establish Roles Detective
    Address Information Security during the business planning processes. CC ID 06495
    [Information security should be addressed in project management, regardless of the type of the project. § 6.1.5 Control]
    Data and Information Management Preventive
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Establish/Maintain Documentation Preventive
  • Monitoring and measurement
    120
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637
    [Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. § 12.4.1 Control]
    Log Management Detective
    Establish, implement, and maintain an audit and accountability policy. CC ID 14035 Establish/Maintain Documentation Preventive
    Include compliance requirements in the audit and accountability policy. CC ID 14103 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the audit and accountability policy. CC ID 14102 Establish/Maintain Documentation Preventive
    Include the purpose in the audit and accountability policy. CC ID 14100 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the audit and accountability policy. CC ID 14098 Establish/Maintain Documentation Preventive
    Include management commitment in the audit and accountability policy. CC ID 14097 Establish/Maintain Documentation Preventive
    Include the scope in the audit and accountability policy. CC ID 14096 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 Communicate Preventive
    Establish, implement, and maintain audit and accountability procedures. CC ID 14057 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 Communicate Preventive
    Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312
    [Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. § 12.4.1 Control]
    Log Management Preventive
    Review and approve the use of continuous security management systems. CC ID 13181 Process or Activity Preventive
    Protect continuous security management systems from unauthorized use. CC ID 13097 Configuration Preventive
    Monitor and evaluate system telemetry data. CC ID 14929 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 Establish/Maintain Documentation Preventive
    Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 Configuration Preventive
    Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 Behavior Preventive
    Do not intercept communications of any kind when providing a service to clients. CC ID 09985 Behavior Preventive
    Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 Technical Security Detective
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitor and Evaluate Occurrences Detective
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225 Monitor and Evaluate Occurrences Detective
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitor and Evaluate Occurrences Preventive
    Address operational anomalies within the incident management system. CC ID 11633 Audits and Risk Management Preventive
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitor and Evaluate Occurrences Detective
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Human Resources Management Detective
    Detect unauthorized access to systems. CC ID 06798 Monitor and Evaluate Occurrences Detective
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitor and Evaluate Occurrences Detective
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Audits and Risk Management Preventive
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitor and Evaluate Occurrences Detective
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitor and Evaluate Occurrences Preventive
    Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 Technical Security Preventive
    Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 Technical Security Preventive
    Implement detonation chambers, where appropriate. CC ID 10670 Technical Security Preventive
    Define and assign log management roles and responsibilities. CC ID 06311 Establish Roles Preventive
    Document and communicate the log locations to the owning entity. CC ID 12047 Log Management Preventive
    Make logs available for review by the owning entity. CC ID 12046 Log Management Preventive
    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 Log Management Detective
    Establish, implement, and maintain an event logging policy. CC ID 15217 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain event logging procedures. CC ID 01335 Log Management Detective
    Include the system components that generate audit records in the event logging procedures. CC ID 16426 Data and Information Management Preventive
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 Log Management Preventive
    Protect the event logs from failure. CC ID 06290 Log Management Preventive
    Overwrite the oldest records when audit logging fails. CC ID 14308 Data and Information Management Preventive
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 Testing Preventive
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Establish/Maintain Documentation Corrective
    Include identity information of suspects in the suspicious activity report. CC ID 16648 Establish/Maintain Documentation Preventive
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 Audits and Risk Management Preventive
    Review and update event logs and audit logs, as necessary. CC ID 00596
    [System administrator and system operator activities should be logged and the logs protected and regularly reviewed. § 12.4.3 Control
    Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. § 12.4.1 Control]
    Log Management Detective
    Eliminate false positives in event logs and audit logs. CC ID 07047 Log Management Corrective
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 Log Management Detective
    Identify cybersecurity events in event logs and audit logs. CC ID 13206 Technical Security Detective
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 Investigate Corrective
    Reproduce the event log if a log failure is captured. CC ID 01426 Log Management Preventive
    Document the event information to be logged in the event information log specification. CC ID 00639 Configuration Preventive
    Enable logging for all systems that meet a traceability criteria. CC ID 00640 Log Management Detective
    Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 Configuration Preventive
    Enable and configure logging on all network access controls. CC ID 01963 Configuration Preventive
    Analyze firewall logs for the correct capturing of data. CC ID 00549 Log Management Detective
    Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340
    [The clocks of all relevant information processing systems within an organization or security domain should be synchronised to a single reference time source. § 12.4.4 Control]
    Configuration Preventive
    Centralize network time servers to as few as practical. CC ID 06308 Configuration Preventive
    Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 Communicate Preventive
    Define the frequency to capture and log events. CC ID 06313 Log Management Preventive
    Include logging frequencies in the event logging procedures. CC ID 00642 Log Management Preventive
    Review and update the list of auditable events in the event logging procedures. CC ID 10097 Establish/Maintain Documentation Preventive
    Monitor and evaluate system performance. CC ID 00651 Monitor and Evaluate Occurrences Detective
    Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 Communicate Preventive
    Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 Communicate Preventive
    Monitor for and react to when suspicious activities are detected. CC ID 00586 Monitor and Evaluate Occurrences Detective
    Erase payment applications when suspicious activity is confirmed. CC ID 12193 Technical Security Corrective
    Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 Establish/Maintain Documentation Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 Monitor and Evaluate Occurrences Corrective
    Establish, implement, and maintain network monitoring operations. CC ID 16444 Monitor and Evaluate Occurrences Preventive
    Monitor and evaluate the effectiveness of detection tools. CC ID 13505 Investigate Detective
    Monitor and review retail payment activities, as necessary. CC ID 13541 Monitor and Evaluate Occurrences Detective
    Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 Investigate Detective
    Review retail payment service reports, as necessary. CC ID 13545 Investigate Detective
    Assess customer satisfaction. CC ID 00652 Testing Detective
    Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 Establish/Maintain Documentation Detective
    Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 Process or Activity Detective
    Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 Monitor and Evaluate Occurrences Detective
    Monitor for and report when a software configuration is updated. CC ID 06746 Monitor and Evaluate Occurrences Detective
    Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 Monitor and Evaluate Occurrences Detective
    Monitor for firmware updates absent authorization. CC ID 10675 Monitor and Evaluate Occurrences Detective
    Implement file integrity monitoring. CC ID 01205 Monitor and Evaluate Occurrences Detective
    Identify unauthorized modifications during file integrity monitoring. CC ID 12096 Technical Security Detective
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitor and Evaluate Occurrences Preventive
    Allow expected changes during file integrity monitoring. CC ID 12090 Technical Security Preventive
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitor and Evaluate Occurrences Preventive
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Establish/Maintain Documentation Preventive
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 Process or Activity Preventive
    Monitor and evaluate user account activity. CC ID 07066 Monitor and Evaluate Occurrences Detective
    Develop and maintain a usage profile for each user account. CC ID 07067 Technical Security Preventive
    Log account usage to determine dormant accounts. CC ID 12118 Log Management Detective
    Log account usage times. CC ID 07099 Log Management Detective
    Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 Monitor and Evaluate Occurrences Detective
    Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 Monitor and Evaluate Occurrences Detective
    Log account usage durations. CC ID 12117 Monitor and Evaluate Occurrences Detective
    Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 Communicate Detective
    Log Internet Protocol addresses used during logon. CC ID 07100 Log Management Detective
    Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 Monitor and Evaluate Occurrences Detective
    Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 Communicate Detective
    Establish, implement, and maintain a testing program. CC ID 00654 Behavior Preventive
    Establish, implement, and maintain a vulnerability management program. CC ID 15721 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 Establish/Maintain Documentation Preventive
    Perform vulnerability scans, as necessary. CC ID 11637 Technical Security Detective
    Identify and document security vulnerabilities. CC ID 11857
    [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]
    Technical Security Detective
    Rank discovered vulnerabilities. CC ID 11940 Investigate Detective
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a log management program. CC ID 00673 Establish/Maintain Documentation Preventive
    Protect logs from unauthorized activity. CC ID 01345
    [System administrator and system operator activities should be logged and the logs protected and regularly reviewed. § 12.4.3 Control
    Logging facilities and log information should be protected against tampering and unauthorized access. § 12.4.2 Control]
    Log Management Preventive
  • Operational and Systems Continuity
    101
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a continuity framework. CC ID 00732 Establish/Maintain Documentation Preventive
    Establish and maintain the scope of the continuity framework. CC ID 11908
    [{scope} The organization should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. § 17.1.1 Control]
    Establish/Maintain Documentation Preventive
    Identify all stakeholders critical to the continuity of operations. CC ID 12741 Systems Continuity Detective
    Include network security in the scope of the continuity framework. CC ID 16327 Establish/Maintain Documentation Preventive
    Explain any exclusions to the scope of the continuity framework. CC ID 12236 Establish/Maintain Documentation Preventive
    Refrain from including exclusions that could affect business continuity. CC ID 12740 Records Management Preventive
    Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 Establish/Maintain Documentation Preventive
    Include business units in the scope of the continuity framework. CC ID 11898 Establish/Maintain Documentation Preventive
    Include business functions in the scope of the continuity framework. CC ID 12699 Establish/Maintain Documentation Preventive
    Include information security continuity in the scope of the continuity framework. CC ID 12009 Systems Continuity Preventive
    Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 Systems Continuity Preventive
    Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [The organization should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. § 17.1.2 Control]
    Establish/Maintain Documentation Preventive
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 Systems Continuity Corrective
    Identify all stakeholders in the continuity plan. CC ID 13256 Establish/Maintain Documentation Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Communicate Corrective
    Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 Communicate Preventive
    Maintain normal security levels when an emergency occurs. CC ID 06377 Systems Continuity Preventive
    Execute fail-safe procedures when an emergency occurs. CC ID 07108 Systems Continuity Preventive
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 Establish/Maintain Documentation Preventive
    Lead or manage business continuity and system continuity, as necessary. CC ID 12240 Human Resources Management Preventive
    Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 Establish/Maintain Documentation Preventive
    Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 Human Resources Management Preventive
    Include the in scope system's location in the continuity plan. CC ID 16246 Systems Continuity Preventive
    Include the system description in the continuity plan. CC ID 16241 Systems Continuity Preventive
    Establish, implement, and maintain redundant systems. CC ID 16354 Configuration Preventive
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Establish/Maintain Documentation Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Behavior Preventive
    Include the continuity strategy in the continuity plan. CC ID 13189 Establish/Maintain Documentation Preventive
    Restore systems and environments to be operational. CC ID 13476 Systems Continuity Corrective
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 Establish/Maintain Documentation Preventive
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 Technical Security Preventive
    Document and use the lessons learned to update the continuity plan. CC ID 10037 Establish/Maintain Documentation Preventive
    Monitor and evaluate business continuity management system performance. CC ID 12410 Monitor and Evaluate Occurrences Detective
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 Process or Activity Preventive
    Record business continuity management system performance for posterity. CC ID 12411 Monitor and Evaluate Occurrences Preventive
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259 Process or Activity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 Establish/Maintain Documentation Preventive
    Include incident management procedures in the continuity plan. CC ID 13244 Establish/Maintain Documentation Preventive
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Establish/Maintain Documentation Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 Establish/Maintain Documentation Preventive
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 Establish Roles Preventive
    Establish, implement, and maintain the continuity procedures. CC ID 14236 Establish/Maintain Documentation Corrective
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Communicate Preventive
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Establish/Maintain Documentation Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Configuration Preventive
    Install a generator sized to support the facility. CC ID 06709 Configuration Preventive
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Acquisition/Sale of Assets or Services Preventive
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Establish/Maintain Documentation Preventive
    Include notifications to alternate facilities in the continuity plan. CC ID 13220 Establish/Maintain Documentation Preventive
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Systems Continuity Preventive
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the organization's call tree. CC ID 01167 Testing Detective
    Establish, implement, and maintain damage assessment procedures. CC ID 01267 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Communicate Preventive
    Include procedures to restore network connectivity in the recovery plan. CC ID 16250 Establish/Maintain Documentation Preventive
    Include addressing backup failures in the recovery plan. CC ID 13298 Establish/Maintain Documentation Preventive
    Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Human Resources Management Preventive
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Establish/Maintain Documentation Preventive
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Establish/Maintain Documentation Preventive
    Include the criteria for activation in the recovery plan. CC ID 13293 Establish/Maintain Documentation Preventive
    Include escalation procedures in the recovery plan. CC ID 16248 Establish/Maintain Documentation Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Establish/Maintain Documentation Preventive
    Determine the cause for the activation of the recovery plan. CC ID 13291 Investigate Detective
    Test the recovery plan, as necessary. CC ID 13290 Testing Detective
    Test the backup information, as necessary. CC ID 13303 Testing Detective
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Establish/Maintain Documentation Detective
    Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 Communicate Preventive
    Include restoration procedures in the continuity plan. CC ID 01169 Establish Roles Preventive
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 Establish/Maintain Documentation Preventive
    Include the recovery plan in the continuity plan. CC ID 01377 Establish/Maintain Documentation Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Communicate Preventive
    Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 Systems Continuity Preventive
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Systems Continuity Preventive
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 Systems Continuity Preventive
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Systems Continuity Corrective
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Establish/Maintain Documentation Preventive
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258
    [Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy. § 12.3.1 Control]
    Systems Continuity Preventive
    Determine which data elements to back up. CC ID 13483 Data and Information Management Detective
    Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 Systems Continuity Preventive
    Establish and maintain off-site electronic media storage facilities. CC ID 00957 Physical and Environmental Protection Preventive
    Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 Testing Detective
    Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 Configuration Preventive
    Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 Establish/Maintain Documentation Preventive
    Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 Systems Continuity Detective
    Store backup media at an off-site electronic media storage facility. CC ID 01332 Data and Information Management Preventive
    Transport backup media in lockable electronic media storage containers. CC ID 01264 Data and Information Management Preventive
    Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 Systems Continuity Preventive
    Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 Data and Information Management Preventive
    Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 Systems Continuity Preventive
    Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 Data and Information Management Preventive
    Perform backup procedures for in scope systems. CC ID 11692 Process or Activity Preventive
    Test backup media for media integrity and information integrity, as necessary. CC ID 01401
    [Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy. § 12.3.1 Control]
    Testing Detective
    Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 Testing Detective
    Validate information security continuity controls regularly. CC ID 12008
    [The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. § 17.1.3 Control]
    Systems Continuity Preventive
  • Operational management
    390
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a capacity management plan. CC ID 11751 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617
    [The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. § 12.1.3 Control]
    Business Processes Preventive
    Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 Business Processes Preventive
    Limit any effects of a Denial of Service attack. CC ID 06754
    [Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. § 17.2.1 Control]
    Technical Security Preventive
    Implement network redundancy, as necessary. CC ID 13048 Systems Continuity Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an internal control framework. CC ID 00820 Establish/Maintain Documentation Preventive
    Measure policy compliance when reviewing the internal control framework. CC ID 06442
    [{security standards} Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. § 18.2.2 Control
    {security standards} Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. § 18.2.2 Control]
    Actionable Reports or Measurements Corrective
    Include security information sharing procedures in the internal control framework. CC ID 06489 Establish/Maintain Documentation Preventive
    Share security information with interested personnel and affected parties. CC ID 11732
    [Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained. § 6.1.4 Control]
    Communicate Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359
    [{management procedures} Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents. § 16.1.1 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information security program. CC ID 00812 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information security policy. CC ID 11740
    [A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control
    A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control
    The policies for information security should be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. § 5.1.2 Control]
    Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Business Processes Preventive
    Include business processes in the information security policy. CC ID 16326 Establish/Maintain Documentation Preventive
    Include the information security strategy in the information security policy. CC ID 16125 Establish/Maintain Documentation Preventive
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the information security policy. CC ID 16120 Establish/Maintain Documentation Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Establish/Maintain Documentation Preventive
    Include information security objectives in the information security policy. CC ID 13493 Establish/Maintain Documentation Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Establish/Maintain Documentation Preventive
    Include notification procedures in the information security policy. CC ID 16842 Establish/Maintain Documentation Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737
    [A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control]
    Process or Activity Preventive
    Establish, implement, and maintain information security procedures. CC ID 12006 Business Processes Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Establish/Maintain Documentation Preventive
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Communicate Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Establish/Maintain Documentation Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Establish Roles Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885
    [All information security responsibilities should be defined and allocated. § 6.1.1 Control
    All information security responsibilities should be defined and allocated. § 6.1.1 Control]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739
    [A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control]
    Communicate Preventive
    Establish, implement, and maintain operational control procedures. CC ID 00831 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826
    [Operating procedures should be documented and made available to all users who need them. § 12.1.1 Control]
    Establish/Maintain Documentation Preventive
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Process or Activity Preventive
    Include metrics in the standard operating procedures manual. CC ID 14988 Establish/Maintain Documentation Preventive
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Establish/Maintain Documentation Preventive
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Establish/Maintain Documentation Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Establish/Maintain Documentation Preventive
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Establish/Maintain Documentation Preventive
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Establish/Maintain Documentation Preventive
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Establish/Maintain Documentation Preventive
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Establish/Maintain Documentation Preventive
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Establish/Maintain Documentation Preventive
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Establish/Maintain Documentation Preventive
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Establish/Maintain Documentation Preventive
    Include contact details in the standard operating procedures manual. CC ID 14962 Establish/Maintain Documentation Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974 Records Management Preventive
    Establish, implement, and maintain information sharing agreements. CC ID 15645 Business Processes Preventive
    Provide support for information sharing activities. CC ID 15644 Process or Activity Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Business Processes Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Establish/Maintain Documentation Corrective
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026
    [Operating procedures should be documented and made available to all users who need them. § 12.1.1 Control]
    Communicate Preventive
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350
    [Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented. § 8.1.3 Control]
    Establish/Maintain Documentation Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Establish/Maintain Documentation Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Establish/Maintain Documentation Preventive
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Establish/Maintain Documentation Preventive
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Establish/Maintain Documentation Preventive
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Establish/Maintain Documentation Preventive
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Establish/Maintain Documentation Preventive
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Establish/Maintain Documentation Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Establish/Maintain Documentation Preventive
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Establish/Maintain Documentation Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355
    [Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented. § 8.1.3 Control]
    Establish/Maintain Documentation Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Establish/Maintain Documentation Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Establish/Maintain Documentation Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Technical Security Preventive
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Establish/Maintain Documentation Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Data and Information Management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Establish/Maintain Documentation Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Establish/Maintain Documentation Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Establish/Maintain Documentation Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Establish/Maintain Documentation Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Establish/Maintain Documentation Corrective
    Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 Establish/Maintain Documentation Preventive
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749
    [Procedures should be implemented to control the installation of software on operational systems. § 12.5.1 Control
    Rules governing the installation of software by users should be established and implemented. § 12.6.2 Control]
    Establish/Maintain Documentation Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Communicate Preventive
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512
    [Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. § 18.1.2 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain nondisclosure agreements. CC ID 04536
    [{confidentiality agreements} {identified and documented} Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented. § 13.2.4 Control
    {confidentiality agreements} {identified and documented} Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented. § 13.2.4 Control]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 Communicate Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Establish/Maintain Documentation Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Business Processes Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004
    [{information security standard} Information systems should be regularly reviewed for compliance with the organization’s information security policies and standards. § 18.2.3 Control]
    Business Processes Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630
    [Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organization. § 8.2.3 Control]
    Business Processes Preventive
    Establish, implement, and maintain an asset management policy. CC ID 15219 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the asset management policy. CC ID 16424 Business Processes Preventive
    Establish, implement, and maintain asset management procedures. CC ID 16748 Establish/Maintain Documentation Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729 Human Resources Management Preventive
    Define and prioritize the importance of each asset in the asset management program. CC ID 16837 Business Processes Preventive
    Include life cycle requirements in the security management program. CC ID 16392 Establish/Maintain Documentation Preventive
    Include program objectives in the asset management program. CC ID 14413 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement in the asset management program. CC ID 14412 Establish/Maintain Documentation Preventive
    Include compliance with applicable requirements in the asset management program. CC ID 14411 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain administrative controls over all assets. CC ID 16400 Business Processes Preventive
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Establish/Maintain Documentation Preventive
    Apply security controls to each level of the information classification standard. CC ID 01903 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 Establish/Maintain Documentation Preventive
    Define confidentiality controls. CC ID 01908 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the systems' availability level. CC ID 01905 Establish/Maintain Documentation Preventive
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Process or Activity Preventive
    Define integrity controls. CC ID 01909 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906 Establish/Maintain Documentation Preventive
    Define availability controls. CC ID 01911 Establish/Maintain Documentation Preventive
    Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 Communicate Preventive
    Classify assets according to the Asset Classification Policy. CC ID 07186 Establish Roles Preventive
    Classify virtual systems by type and purpose. CC ID 16332 Business Processes Preventive
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 Establish/Maintain Documentation Preventive
    Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 Establish Roles Preventive
    Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 Configuration Preventive
    Assign decomposed system components the same asset classification as the originating system. CC ID 06605 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an asset inventory. CC ID 06631 Business Processes Preventive
    Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689
    [Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. § 8.1.1 Control]
    Establish/Maintain Documentation Preventive
    Include all account types in the Information Technology inventory. CC ID 13311 Establish/Maintain Documentation Preventive
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 Systems Design, Build, and Implementation Preventive
    Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 Data and Information Management Preventive
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Establish/Maintain Documentation Preventive
    Categorize all major applications according to the business information they process. CC ID 07182 Establish/Maintain Documentation Preventive
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Establish/Maintain Documentation Preventive
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Establish/Maintain Documentation Preventive
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Establish/Maintain Documentation Preventive
    Conduct environmental surveys. CC ID 00690 Physical and Environmental Protection Preventive
    Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a hardware asset inventory. CC ID 00691 Establish/Maintain Documentation Preventive
    Include network equipment in the Information Technology inventory. CC ID 00693 Establish/Maintain Documentation Preventive
    Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 Establish/Maintain Documentation Preventive
    Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 Process or Activity Preventive
    Include software in the Information Technology inventory. CC ID 00692 Establish/Maintain Documentation Preventive
    Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Establish/Maintain Documentation Preventive
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 Establish/Maintain Documentation Preventive
    Add inventoried assets to the asset register database, as necessary. CC ID 07051 Establish/Maintain Documentation Preventive
    Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 Monitor and Evaluate Occurrences Corrective
    Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 Monitor and Evaluate Occurrences Corrective
    Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 Establish/Maintain Documentation Preventive
    Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 Technical Security Preventive
    Link the authentication system to the asset inventory. CC ID 13718 Technical Security Preventive
    Record a unique name for each asset in the asset inventory. CC ID 16305 Data and Information Management Preventive
    Record the decommission date for applicable assets in the asset inventory. CC ID 14920 Establish/Maintain Documentation Preventive
    Record the status of information systems in the asset inventory. CC ID 16304 Data and Information Management Preventive
    Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 Data and Information Management Preventive
    Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 Establish/Maintain Documentation Preventive
    Include source code in the asset inventory. CC ID 14858 Records Management Preventive
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Human Resources Management Preventive
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Technical Security Detective
    Record the review date for applicable assets in the asset inventory. CC ID 14919 Establish/Maintain Documentation Preventive
    Record software license information for each asset in the asset inventory. CC ID 11736 Data and Information Management Preventive
    Record services for applicable assets in the asset inventory. CC ID 13733 Establish/Maintain Documentation Preventive
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Establish/Maintain Documentation Preventive
    Record the software version in the asset inventory. CC ID 12196 Establish/Maintain Documentation Preventive
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Establish/Maintain Documentation Preventive
    Record the authentication system in the asset inventory. CC ID 13724 Establish/Maintain Documentation Preventive
    Tag unsupported assets in the asset inventory. CC ID 13723 Establish/Maintain Documentation Preventive
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Establish/Maintain Documentation Preventive
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Establish/Maintain Documentation Preventive
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Establish/Maintain Documentation Preventive
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Establish/Maintain Documentation Preventive
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Establish/Maintain Documentation Preventive
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Establish/Maintain Documentation Preventive
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Data and Information Management Preventive
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Establish/Maintain Documentation Preventive
    Record rooms at external locations in the asset inventory. CC ID 16302 Data and Information Management Preventive
    Record the department associated with the asset in the asset inventory. CC ID 12084 Establish/Maintain Documentation Preventive
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Establish/Maintain Documentation Preventive
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Establish/Maintain Documentation Preventive
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Establish/Maintain Documentation Preventive
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Establish/Maintain Documentation Preventive
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Establish/Maintain Documentation Preventive
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Establish/Maintain Documentation Preventive
    Record trusted keys and certificates in the asset inventory. CC ID 15486 Data and Information Management Preventive
    Record cipher suites and protocols in the asset inventory. CC ID 15489 Data and Information Management Preventive
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Establish/Maintain Documentation Preventive
    Record the owner for applicable assets in the asset inventory. CC ID 06640
    [Assets maintained in the inventory should be owned. § 8.1.2 Control]
    Establish/Maintain Documentation Preventive
    Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 Establish/Maintain Documentation Preventive
    Record all changes to assets in the asset inventory. CC ID 12190 Establish/Maintain Documentation Preventive
    Record cloud service derived data in the asset inventory. CC ID 13007 Establish/Maintain Documentation Preventive
    Include cloud service customer data in the asset inventory. CC ID 13006 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a software accountability policy. CC ID 00868 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software asset management procedures. CC ID 00895 Establish/Maintain Documentation Preventive
    Prevent users from disabling required software. CC ID 16417 Technical Security Preventive
    Establish, implement, and maintain software archives procedures. CC ID 00866 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software distribution procedures. CC ID 00894 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software license management procedures. CC ID 06639
    [Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. § 18.1.2 Control]
    Establish/Maintain Documentation Preventive
    Automate software license monitoring, as necessary. CC ID 07057 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain digital legacy procedures. CC ID 16524 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system redeployment program. CC ID 06276 Establish/Maintain Documentation Preventive
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 Testing Detective
    Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 Behavior Preventive
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Data and Information Management Preventive
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Acquisition/Sale of Assets or Services Preventive
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Establish/Maintain Documentation Preventive
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system disposal program. CC ID 14431 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain disposal procedures. CC ID 16513 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain asset sanitization procedures. CC ID 16511 Establish/Maintain Documentation Preventive
    Destroy systems in accordance with the system disposal program. CC ID 16457 Business Processes Preventive
    Approve the release of systems and waste material into the public domain. CC ID 16461 Business Processes Preventive
    Establish, implement, and maintain system destruction procedures. CC ID 16474 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system preventive maintenance program. CC ID 00885
    [Equipment should be correctly maintained to ensure its continued availability and integrity. § 11.2.4 Control]
    Establish/Maintain Documentation Preventive
    Establish and maintain maintenance reports. CC ID 11749 Establish/Maintain Documentation Preventive
    Establish and maintain system inspection reports. CC ID 06346 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Establish/Maintain Documentation Preventive
    Include compliance requirements in the system maintenance policy. CC ID 14217 Establish/Maintain Documentation Preventive
    Include management commitment in the system maintenance policy. CC ID 14216 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Establish/Maintain Documentation Preventive
    Include the scope in the system maintenance policy. CC ID 14214 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Communicate Preventive
    Include the purpose in the system maintenance policy. CC ID 14187 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Communicate Preventive
    Establish, implement, and maintain a technology refresh plan. CC ID 13061 Establish/Maintain Documentation Preventive
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Physical and Environmental Protection Preventive
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Behavior Preventive
    Use system components only when third party support is available. CC ID 10644 Maintenance Preventive
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Maintenance Preventive
    Control and monitor all maintenance tools. CC ID 01432 Physical and Environmental Protection Detective
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Business Processes Preventive
    Control remote maintenance according to the system's asset classification. CC ID 01433 Technical Security Preventive
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Configuration Preventive
    Approve all remote maintenance sessions. CC ID 10615 Technical Security Preventive
    Log the performance of all remote maintenance. CC ID 13202 Log Management Preventive
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Technical Security Preventive
    Conduct offsite maintenance in authorized facilities. CC ID 16473 Maintenance Preventive
    Conduct maintenance with authorized personnel. CC ID 01434 Testing Detective
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Maintenance Preventive
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Maintenance Preventive
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Behavior Preventive
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Establish/Maintain Documentation Preventive
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Acquisition/Sale of Assets or Services Preventive
    Perform periodic maintenance according to organizational standards. CC ID 01435 Behavior Preventive
    Restart systems on a periodic basis. CC ID 16498 Maintenance Preventive
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Maintenance Preventive
    Employ dedicated systems during system maintenance. CC ID 12108 Technical Security Preventive
    Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 Technical Security Preventive
    Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 Human Resources Management Preventive
    Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 Physical and Environmental Protection Preventive
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203 Testing Detective
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Establish/Maintain Documentation Preventive
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Process or Activity Preventive
    Refrain from protecting physical assets when no longer required. CC ID 13484 Physical and Environmental Protection Corrective
    Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 Business Processes Preventive
    Establish, implement, and maintain an end-of-life management process. CC ID 16540 Establish/Maintain Documentation Preventive
    Dispose of hardware and software at their life cycle end. CC ID 06278 Business Processes Preventive
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Business Processes Preventive
    Establish, implement, and maintain disposal contracts. CC ID 12199 Establish/Maintain Documentation Preventive
    Include disposal procedures in disposal contracts. CC ID 13905 Establish/Maintain Documentation Preventive
    Remove asset tags prior to disposal of an asset. CC ID 12198 Business Processes Preventive
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Establish/Maintain Documentation Preventive
    Test for detrimental environmental factors after a system is disposed. CC ID 06938 Testing Detective
    Review each system's operational readiness. CC ID 06275 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain a data stewardship policy. CC ID 06657 Establish/Maintain Documentation Preventive
    Establish and maintain an unauthorized software list. CC ID 10601 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a customer service program. CC ID 00846 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853 Business Processes Preventive
    Include detection procedures in the Incident Management program. CC ID 00588 Establish/Maintain Documentation Preventive
    Categorize the incident following an incident response. CC ID 13208 Technical Security Preventive
    Determine the incident severity level when assessing the security incidents. CC ID 01650
    [Information security events should be assessed and it should be decided if they are to be classified as information security incidents. § 16.1.4 Control]
    Monitor and Evaluate Occurrences Corrective
    Assess all incidents to determine what information was accessed. CC ID 01226
    [Information security events should be assessed and it should be decided if they are to be classified as information security incidents. § 16.1.4 Control]
    Testing Corrective
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Monitor and Evaluate Occurrences Corrective
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Establish/Maintain Documentation Preventive
    Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234
    [{information security incidents} Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents. § 16.1.6 Control]
    Monitor and Evaluate Occurrences Preventive
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [Information security events should be reported through appropriate management channels as quickly as possible. § 16.1.2 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 Communicate Preventive
    Establish, implement, and maintain an Incident Response program. CC ID 00579 Establish/Maintain Documentation Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237 Establish/Maintain Documentation Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652
    [{management procedures} Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents. § 16.1.1 Control]
    Establish Roles Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Establish Roles Preventive
    Open a priority incident request after a security breach is detected. CC ID 04838 Testing Corrective
    Activate the incident response notification procedures after a security breach is detected. CC ID 04839 Testing Corrective
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Communicate Corrective
    Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 Establish Roles Preventive
    Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 Establish Roles Preventive
    Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 Establish Roles Preventive
    Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 Establish Roles Preventive
    Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 Establish Roles Preventive
    Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 Establish Roles Preventive
    Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 Establish Roles Preventive
    Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 Establish Roles Preventive
    Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 Establish Roles Preventive
    Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 Human Resources Management Preventive
    Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 Investigate Detective
    Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 Establish/Maintain Documentation Preventive
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Communicate Preventive
    Establish, implement, and maintain incident response procedures. CC ID 01206
    [Information security incidents should be responded to in accordance with the documented procedures. § 16.1.5 Control]
    Establish/Maintain Documentation Detective
    Include references to industry best practices in the incident response procedures. CC ID 11956 Establish/Maintain Documentation Preventive
    Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 Establish/Maintain Documentation Preventive
    Respond when an integrity violation is detected, as necessary. CC ID 10678 Technical Security Corrective
    Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 Technical Security Corrective
    Restart systems when an integrity violation is detected, as necessary. CC ID 10680 Technical Security Corrective
    Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213
    [Appropriate contacts with relevant authorities should be maintained. § 6.1.3 Control]
    Behavior Preventive
    Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 Establish/Maintain Documentation Preventive
    Define the business scenarios that require digital forensic evidence. CC ID 08653 Establish/Maintain Documentation Preventive
    Define the circumstances for collecting digital forensic evidence. CC ID 08657
    [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]
    Establish/Maintain Documentation Preventive
    Conduct forensic investigations in the event of a security compromise. CC ID 11951 Investigate Corrective
    Identify potential sources of digital forensic evidence. CC ID 08651
    [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]
    Investigate Preventive
    Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655
    [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656
    [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]
    Records Management Preventive
    Establish, implement, and maintain a performance management standard. CC ID 01615 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain rate limiting filters. CC ID 06883 Business Processes Preventive
    Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619
    [The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. § 12.1.3 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 Establish/Maintain Documentation Preventive
    Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023
    [Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. § 13.1.2 Control]
    Establish/Maintain Documentation Preventive
    Include the management requirements for network services in the Service Level Agreement. CC ID 12025
    [Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. § 13.1.2 Control]
    Establish/Maintain Documentation Preventive
    Include the service levels for network services in the Service Level Agreement. CC ID 12024
    [Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. § 13.1.2 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a change control program. CC ID 00886
    [Changes to the organization, business processes, information processing facilities and systems that affect information security should be controlled. § 12.1.2 Control
    Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures. § 14.2.2 Control]
    Establish/Maintain Documentation Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243 Establish/Maintain Documentation Preventive
    Include version control in the change control program. CC ID 13119 Establish/Maintain Documentation Preventive
    Include service design and transition in the change control program. CC ID 13920 Establish/Maintain Documentation Preventive
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Maintenance Preventive
    Integrate configuration management procedures into the change control program. CC ID 13646 Technical Security Preventive
    Establish, implement, and maintain a back-out plan. CC ID 13623 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 Establish/Maintain Documentation Preventive
    Approve back-out plans, as necessary. CC ID 13627 Establish/Maintain Documentation Corrective
    Manage change requests. CC ID 00887
    [Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. § 14.2.4 Control]
    Business Processes Preventive
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Establish/Maintain Documentation Preventive
    Establish and maintain a change request approver list. CC ID 06795 Establish/Maintain Documentation Preventive
    Document all change requests in change request forms. CC ID 06794 Establish/Maintain Documentation Preventive
    Test proposed changes prior to their approval. CC ID 00548 Testing Detective
    Examine all changes to ensure they correspond with the change request. CC ID 12345
    [Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. § 14.2.4 Control]
    Business Processes Detective
    Approve tested change requests. CC ID 11783 Data and Information Management Preventive
    Validate the system before implementing approved changes. CC ID 01510
    [When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security. § 14.2.3 Control]
    Systems Design, Build, and Implementation Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Behavior Preventive
    Establish, implement, and maintain emergency change procedures. CC ID 00890 Establish/Maintain Documentation Preventive
    Perform emergency changes, as necessary. CC ID 12707 Process or Activity Preventive
    Back up emergency changes after the change has been performed. CC ID 12734 Process or Activity Preventive
    Log emergency changes after they have been performed. CC ID 12733 Establish/Maintain Documentation Preventive
    Perform risk assessments prior to approving change requests. CC ID 00888 Testing Preventive
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Process or Activity Detective
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Investigate Detective
    Collect data about the network environment when certifying the network. CC ID 13125 Investigate Detective
    Implement changes according to the change control program. CC ID 11776 Business Processes Preventive
    Provide audit trails for all approved changes. CC ID 13120 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a patch management program. CC ID 00896 Process or Activity Preventive
    Document the sources of all software updates. CC ID 13316 Establish/Maintain Documentation Preventive
    Implement patch management software, as necessary. CC ID 12094 Technical Security Preventive
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Technical Security Preventive
    Establish, implement, and maintain a patch management policy. CC ID 16432 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain patch management procedures. CC ID 15224 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a patch log. CC ID 01642 Establish/Maintain Documentation Preventive
    Review the patch log for missing patches. CC ID 13186 Technical Security Detective
    Perform a patch test prior to deploying a patch. CC ID 00898 Testing Detective
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Business Processes Preventive
    Deploy software patches in accordance with organizational standards. CC ID 07032 Configuration Corrective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Testing Detective
    Patch software. CC ID 11825 Technical Security Corrective
    Patch the operating system, as necessary. CC ID 11824 Technical Security Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Configuration Corrective
    Remove outdated software after software has been updated. CC ID 11792 Configuration Corrective
    Update computer firmware, as necessary. CC ID 11755 Configuration Corrective
    Review changes to computer firmware. CC ID 12226 Testing Detective
    Certify changes to computer firmware are free of malicious logic. CC ID 12227 Testing Detective
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Configuration Corrective
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 Technical Security Detective
    Establish, implement, and maintain a software release policy. CC ID 00893 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain traceability documentation. CC ID 16388 Systems Design, Build, and Implementation Preventive
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Behavior Preventive
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Data and Information Management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244 Business Processes Corrective
    Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 Establish/Maintain Documentation Detective
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Testing Detective
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541
    [Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions. § 14.2.9 Control]
    Testing Detective
    Establish, implement, and maintain a change acceptance testing log. CC ID 06392 Establish/Maintain Documentation Corrective
    Update associated documentation after the system configuration has been changed. CC ID 00891 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a configuration change log. CC ID 08710 Configuration Detective
    Document approved configuration deviations. CC ID 08711 Establish/Maintain Documentation Corrective
    Document the organization's local environments. CC ID 06726
    [To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. § 5.1 Objective
    To establish a management framework to initiate and control the implementation and operation of information security within the organization. § 6.1 Objective
    To ensure the security of teleworking and use of mobile devices. § 6.2 Objective
    To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. § 7.1 Objective
    To ensure that employees and contractors are aware of and fulfill their information security responsibilities. § 7.2 Objective
    To protect the organization’s interests as part of the process of changing or terminating employment. § 7.3 Objective
    To identify organizational assets and define appropriate protection responsibilities. § 8.1 Objective
    To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. § 8.3 Objective
    To limit access to information and information processing facilities. § 9.1 Objective
    To ensure authorized user access and to prevent unauthorized access to systems and services. § 9.2 Objective
    To make users accountable for safeguarding their authentication information. § 9.3 Objective
    To prevent unauthorized access to systems and applications. § 9.4 Objective
    To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. § 10.1 Objective
    To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. § 11.1 Objective
    To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. § 11.2 Objective
    To ensure correct and secure operations of information processing facilities. § 12.1 Objective
    To ensure that information and information processing facilities are protected against malware. § 12.2 Objective
    To protect against loss of data. § 12.3 Objective
    To record events and generate evidence. § 12.4 Objective
    To ensure the integrity of operational systems. § 12.5 Objective
    To prevent exploitation of technical vulnerabilities. § 12.6 Objective
    To minimise the impact of audit activities on operational systems. § 12.7 Objective
    To ensure the protection of information in networks and its supporting information processing facilities. § 13.1 Objective
    To maintain the security of information transferred within an organization and with any external entity. § 13.2 Objective
    To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. § 14.1 Objective
    To ensure that information security is designed and implemented within the development lifecycle of information systems. § 14.2 Objective
    To ensure protection of the organization’s assets that is accessible by suppliers. § 15.1 Objective
    To maintain an agreed level of information security and service delivery in line with supplier agreements. § 15.2 Objective
    To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. § 16.1 Objective
    Information security continuity should be embedded in the organization’s business continuity management systems. § 17.1 Objective
    To ensure availability of information processing facilities. § 17.2 Objective
    To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. § 18.1 Objective
    To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. § 18.2 Objective
    To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. § 8.2 Objective
    To ensure the protection of data used for testing. § 14.3 Objective]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain local environment security profiles. CC ID 07037 Establish/Maintain Documentation Preventive
    Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 Establish/Maintain Documentation Preventive
    Include security requirements in the local environment security profile. CC ID 15717 Establish/Maintain Documentation Preventive
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 Establish/Maintain Documentation Preventive
    Include the technology used in the local environment in the local environment security profile. CC ID 07040 Establish/Maintain Documentation Preventive
    Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 Establish/Maintain Documentation Preventive
    Include facility information for the local environment in the local environment security profile. CC ID 07042 Establish/Maintain Documentation Preventive
    Include facility access information for the local environment in the local environment security profile. CC ID 11773 Establish/Maintain Documentation Preventive
    Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 Communicate Preventive
    Update the local environment security profile, as necessary. CC ID 07043 Establish/Maintain Documentation Preventive
  • Physical and environmental protection
    242
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Physical and environmental protection CC ID 00709 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a physical security program. CC ID 11757 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 Monitor and Evaluate Occurrences Detective
    Protect assets from tampering or unapproved substitution. CC ID 11902
    [Logging facilities and log information should be protected against tampering and unauthorized access. § 12.4.2 Control]
    Physical and Environmental Protection Preventive
    Establish, implement, and maintain a facility physical security program. CC ID 00711
    [Physical security for offices, rooms and facilities should be designed and applied. § 11.1.3 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain opening procedures for businesses. CC ID 16671 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain closing procedures for businesses. CC ID 16670 Establish/Maintain Documentation Preventive
    Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 Establish/Maintain Documentation Preventive
    Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 Behavior Preventive
    Protect the facility from crime. CC ID 06347 Physical and Environmental Protection Preventive
    Define communication methods for reporting crimes. CC ID 06349 Establish/Maintain Documentation Preventive
    Include identification cards or badges in the physical security program. CC ID 14818 Establish/Maintain Documentation Preventive
    Protect facilities from eavesdropping. CC ID 02222 Physical and Environmental Protection Preventive
    Inspect telephones for eavesdropping devices. CC ID 02223 Physical and Environmental Protection Detective
    Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 Technical Security Preventive
    Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 Establish/Maintain Documentation Preventive
    Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 Physical and Environmental Protection Preventive
    Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 Physical and Environmental Protection Preventive
    Create security zones in facilities, as necessary. CC ID 16295 Physical and Environmental Protection Preventive
    Establish clear zones around any sensitive facilities. CC ID 02214 Physical and Environmental Protection Preventive
    Establish, implement, and maintain floor plans. CC ID 16419 Establish/Maintain Documentation Preventive
    Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 Establish/Maintain Documentation Preventive
    Post floor plans of critical facilities in secure locations. CC ID 16138 Communicate Preventive
    Post and maintain security signage for all facilities. CC ID 02201 Establish/Maintain Documentation Preventive
    Inspect items brought into the facility. CC ID 06341 Physical and Environmental Protection Preventive
    Maintain all physical security systems. CC ID 02206 Physical and Environmental Protection Preventive
    Detect anomalies in physical barriers. CC ID 13533 Investigate Detective
    Maintain all security alarm systems. CC ID 11669 Physical and Environmental Protection Preventive
    Identify and document physical access controls for all physical entry points. CC ID 01637
    [Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.2 Control]
    Establish/Maintain Documentation Preventive
    Control physical access to (and within) the facility. CC ID 01329 Physical and Environmental Protection Preventive
    Establish, implement, and maintain physical access procedures. CC ID 13629 Establish/Maintain Documentation Preventive
    Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 Physical and Environmental Protection Preventive
    Secure physical entry points with physical access controls or security guards. CC ID 01640 Physical and Environmental Protection Detective
    Configure the access control system to grant access only during authorized working hours. CC ID 12325 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a visitor access permission policy. CC ID 06699 Establish/Maintain Documentation Preventive
    Escort visitors within the facility, as necessary. CC ID 06417 Establish/Maintain Documentation Preventive
    Check the visitor's stated identity against a provided government issued identification. CC ID 06701 Physical and Environmental Protection Preventive
    Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 Testing Preventive
    Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 Behavior Preventive
    Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 Establish/Maintain Documentation Preventive
    Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 Establish/Maintain Documentation Preventive
    Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 Physical and Environmental Protection Corrective
    Authorize physical access to sensitive areas based on job functions. CC ID 12462 Establish/Maintain Documentation Preventive
    Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain physical identification procedures. CC ID 00713 Establish/Maintain Documentation Preventive
    Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 Human Resources Management Preventive
    Implement physical identification processes. CC ID 13715 Process or Activity Preventive
    Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 Process or Activity Preventive
    Issue photo identification badges to all employees. CC ID 12326 Physical and Environmental Protection Preventive
    Implement operational requirements for card readers. CC ID 02225 Testing Preventive
    Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 Establish/Maintain Documentation Preventive
    Document all lost badges in a lost badge list. CC ID 12448 Establish/Maintain Documentation Corrective
    Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 Physical and Environmental Protection Preventive
    Manage constituent identification inside the facility. CC ID 02215 Behavior Preventive
    Direct each employee to be responsible for their identification card or badge. CC ID 12332 Human Resources Management Preventive
    Manage visitor identification inside the facility. CC ID 11670 Physical and Environmental Protection Preventive
    Issue visitor identification badges to all non-employees. CC ID 00543 Behavior Preventive
    Secure unissued visitor identification badges. CC ID 06712 Physical and Environmental Protection Preventive
    Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 Behavior Preventive
    Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 Physical and Environmental Protection Preventive
    Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 Establish/Maintain Documentation Preventive
    Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 Process or Activity Preventive
    Include error handling controls in identification issuance procedures. CC ID 13709 Establish/Maintain Documentation Preventive
    Include an appeal process in the identification issuance procedures. CC ID 15428 Business Processes Preventive
    Include information security in the identification issuance procedures. CC ID 15425 Establish/Maintain Documentation Preventive
    Include identity proofing processes in the identification issuance procedures. CC ID 06597 Process or Activity Preventive
    Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 Establish/Maintain Documentation Preventive
    Include an identity registration process in the identification issuance procedures. CC ID 11671 Establish/Maintain Documentation Preventive
    Restrict access to the badge system to authorized personnel. CC ID 12043 Physical and Environmental Protection Preventive
    Enforce dual control for badge assignments. CC ID 12328 Physical and Environmental Protection Preventive
    Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 Physical and Environmental Protection Preventive
    Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 Physical and Environmental Protection Preventive
    Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 Establish/Maintain Documentation Preventive
    Assign employees the responsibility for controlling their identification badges. CC ID 12333 Human Resources Management Preventive
    Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 Establish/Maintain Documentation Preventive
    Prevent tailgating through physical entry points. CC ID 06685 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a door security standard. CC ID 06686 Establish/Maintain Documentation Preventive
    Install doors so that exposed hinges are on the secured side. CC ID 06687 Configuration Preventive
    Install emergency doors to permit egress only. CC ID 06688 Configuration Preventive
    Install contact alarms on doors, as necessary. CC ID 06710 Configuration Preventive
    Use locks to protect against unauthorized physical access. CC ID 06342 Physical and Environmental Protection Preventive
    Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 Configuration Preventive
    Test locks for physical security vulnerabilities. CC ID 04880 Testing Detective
    Secure unissued access mechanisms. CC ID 06713 Technical Security Preventive
    Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 Establish/Maintain Documentation Preventive
    Change cipher lock codes, as necessary. CC ID 06651 Technical Security Preventive
    Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a window security standard. CC ID 06689 Establish/Maintain Documentation Preventive
    Install contact alarms on openable windows, as necessary. CC ID 06690 Configuration Preventive
    Install glass break alarms on windows, as necessary. CC ID 06691 Configuration Preventive
    Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 Establish/Maintain Documentation Preventive
    Install and maintain security lighting at all physical entry points. CC ID 02205 Physical and Environmental Protection Preventive
    Use vandal resistant light fixtures for all security lighting. CC ID 16130 Physical and Environmental Protection Preventive
    Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210
    [{delivery area} Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. § 11.1.6 Control]
    Physical and Environmental Protection Preventive
    Secure the loading dock with physical access controls or security guards. CC ID 06703 Physical and Environmental Protection Preventive
    Isolate loading areas from information processing facilities, if possible. CC ID 12028
    [{delivery area} Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. § 11.1.6 Control]
    Physical and Environmental Protection Preventive
    Screen incoming mail and deliveries. CC ID 06719 Physical and Environmental Protection Preventive
    Protect access to the facility's mechanical systems area. CC ID 02212 Physical and Environmental Protection Preventive
    Establish, implement, and maintain elevator security guidelines. CC ID 02232 Physical and Environmental Protection Preventive
    Establish, implement, and maintain stairwell security guidelines. CC ID 02233 Physical and Environmental Protection Preventive
    Establish, implement, and maintain glass opening security guidelines. CC ID 02234 Physical and Environmental Protection Preventive
    Establish, implement, and maintain after hours facility access procedures. CC ID 06340 Establish/Maintain Documentation Preventive
    Establish a security room, if necessary. CC ID 00738 Physical and Environmental Protection Preventive
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749 Physical and Environmental Protection Preventive
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and Environmental Protection Preventive
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and Environmental Protection Preventive
    Lock all lockable equipment cabinets. CC ID 11673 Physical and Environmental Protection Detective
    Establish, implement, and maintain vault physical security standards. CC ID 02203 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538
    [Procedures for working in secure areas should be designed and applied. § 11.1.5 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain emergency exit procedures. CC ID 01252 Establish/Maintain Documentation Preventive
    Establish, Implement, and maintain a camera operating policy. CC ID 15456 Establish/Maintain Documentation Preventive
    Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 Communicate Preventive
    Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 Monitor and Evaluate Occurrences Detective
    Establish and maintain a visitor log. CC ID 00715 Log Management Preventive
    Report anomalies in the visitor log to appropriate personnel. CC ID 14755 Investigate Detective
    Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 Establish/Maintain Documentation Preventive
    Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 Behavior Preventive
    Record the visitor's name in the visitor log. CC ID 00557 Log Management Preventive
    Record the visitor's organization in the visitor log. CC ID 12121 Log Management Preventive
    Record the visitor's acceptable access areas in the visitor log. CC ID 12237 Log Management Preventive
    Record the date and time of entry in the visitor log. CC ID 13255 Establish/Maintain Documentation Preventive
    Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 Establish/Maintain Documentation Preventive
    Retain all records in the visitor log as prescribed by law. CC ID 00572 Log Management Preventive
    Establish, implement, and maintain a physical access log. CC ID 12080 Establish/Maintain Documentation Preventive
    Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 Log Management Preventive
    Log when the vault is accessed. CC ID 06725 Log Management Detective
    Log when the cabinet is accessed. CC ID 11674 Log Management Detective
    Store facility access logs in off-site storage. CC ID 06958 Log Management Preventive
    Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 Monitor and Evaluate Occurrences Preventive
    Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 Monitor and Evaluate Occurrences Detective
    Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 Monitor and Evaluate Occurrences Detective
    Configure video cameras to cover all physical entry points. CC ID 06302 Configuration Preventive
    Configure video cameras to prevent physical tampering or disablement. CC ID 06303 Configuration Preventive
    Retain video events according to Records Management procedures. CC ID 06304 Records Management Preventive
    Monitor physical entry point alarms. CC ID 01639 Physical and Environmental Protection Detective
    Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 Monitor and Evaluate Occurrences Detective
    Monitor for alarmed security doors being propped open. CC ID 06684 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain physical security threat reports. CC ID 02207 Establish/Maintain Documentation Preventive
    Build and maintain fencing, as necessary. CC ID 02235
    [{sensitive information} Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. § 11.1.1 Control]
    Physical and Environmental Protection Preventive
    Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 Physical and Environmental Protection Preventive
    Physically segregate business areas in accordance with organizational standards. CC ID 16718 Physical and Environmental Protection Preventive
    Employ security guards to provide physical security, as necessary. CC ID 06653 Establish Roles Preventive
    Establish, implement, and maintain a facility wall standard. CC ID 06692 Establish/Maintain Documentation Preventive
    Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 Physical and Environmental Protection Preventive
    Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 Configuration Preventive
    Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 Behavior Preventive
    Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 Behavior Preventive
    Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 Business Processes Preventive
    Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 Behavior Preventive
    Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 Behavior Preventive
    Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 Physical and Environmental Protection Preventive
    Control the transiting and internal distribution or external distribution of assets. CC ID 00963
    [Media containing information should be protected against unauthorized access, misuse or corruption during transportation. § 8.3.3 Control]
    Records Management Preventive
    Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 Log Management Preventive
    Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 Technical Security Preventive
    Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 Records Management Preventive
    Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 Physical and Environmental Protection Preventive
    Transport restricted media using a delivery method that can be tracked. CC ID 11777 Business Processes Preventive
    Track restricted storage media while it is in transit. CC ID 00967 Data and Information Management Detective
    Restrict physical access to distributed assets. CC ID 11865
    [{environmental hazards} Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. § 11.2.1 Control]
    Physical and Environmental Protection Preventive
    House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 Physical and Environmental Protection Preventive
    Protect electronic storage media with physical access controls. CC ID 00720 Physical and Environmental Protection Preventive
    Protect distributed assets against theft. CC ID 06799 Physical and Environmental Protection Preventive
    Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 Establish/Maintain Documentation Preventive
    Prohibit assets from being taken off-site absent prior authorization. CC ID 12027
    [Equipment, information or software should not be taken off-site without prior authorization. § 11.2.5 Control]
    Process or Activity Preventive
    Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539
    [Security should be applied to off-site assets taking into account the different risks of working outside the organization’s premises. § 11.2.6 Control]
    Physical and Environmental Protection Preventive
    Establish, implement, and maintain end user computing device security guidelines. CC ID 00719
    [Users should ensure that unattended equipment has appropriate protection. § 11.2.8 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a locking screen saver policy. CC ID 06717 Establish/Maintain Documentation Preventive
    Encrypt information stored on devices in publicly accessible areas. CC ID 16410 Data and Information Management Preventive
    Secure workstations to desks with security cables. CC ID 04724 Physical and Environmental Protection Preventive
    Establish, implement, and maintain mobile device security guidelines. CC ID 04723
    [A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices. § 6.2.1 Control
    A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices. § 6.2.1 Control]
    Establish/Maintain Documentation Preventive
    Require users to refrain from leaving mobile devices unattended. CC ID 16446 Business Processes Preventive
    Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 Data and Information Management Preventive
    Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 Establish/Maintain Documentation Preventive
    Include legal requirements in the mobile device security guidelines. CC ID 12291 Establish/Maintain Documentation Preventive
    Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 Physical and Environmental Protection Preventive
    Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 Establish/Maintain Documentation Preventive
    Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 Establish/Maintain Documentation Preventive
    Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 Establish/Maintain Documentation Preventive
    Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 Physical and Environmental Protection Preventive
    Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 Physical and Environmental Protection Preventive
    Encrypt information stored on mobile devices. CC ID 01422 Data and Information Management Preventive
    Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722
    [{sensitive information} Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. § 11.1.1 Control]
    Physical and Environmental Protection Preventive
    Establish, implement, and maintain asset return procedures. CC ID 04537 Establish/Maintain Documentation Preventive
    Require the return of all assets upon notification an individual is terminated. CC ID 06679
    [{require} All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract or agreement. § 8.1.4 Control]
    Behavior Preventive
    Establish, implement, and maintain a clean desk policy. CC ID 06534
    [A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. § 11.2.9 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a clear screen policy. CC ID 12436
    [A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. § 11.2.9 Control]
    Technical Security Preventive
    Establish, implement, and maintain an environmental control program. CC ID 00724
    [Physical protection against natural disasters, malicious attack or accidents should be designed and applied. § 11.1.4 Control]
    Physical and Environmental Protection Preventive
    Establish, implement, and maintain clean energy standards. CC ID 16285 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain environmental control procedures. CC ID 12246 Establish/Maintain Documentation Preventive
    Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708 Configuration Preventive
    Protect power equipment and power cabling from damage or destruction. CC ID 01438
    [{power cabling} Power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference or damage. § 11.2.3 Control
    Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities. § 11.2.2 Control]
    Physical and Environmental Protection Preventive
    Install and maintain power distribution boards. CC ID 16486 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain a battery room, as necessary. CC ID 06706 Configuration Preventive
    Establish and maintain a generator room, as necessary. CC ID 06704 Configuration Preventive
    Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 Physical and Environmental Protection Preventive
    Establish, implement, and maintain facility maintenance procedures. CC ID 00710 Establish/Maintain Documentation Preventive
    Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712 Physical and Environmental Protection Preventive
    Design the Information Technology facility with a low profile. CC ID 16140 Physical and Environmental Protection Preventive
    Prohibit signage indicating computer room location and uses. CC ID 06343 Physical and Environmental Protection Preventive
    Require critical facilities to have adequate room for facility maintenance. CC ID 06361 Physical and Environmental Protection Preventive
    Require critical facilities to have adequate room for evacuation. CC ID 11686 Physical and Environmental Protection Preventive
    Build critical facilities according to applicable building codes. CC ID 06366 Physical and Environmental Protection Preventive
    Build critical facilities with fire resistant materials. CC ID 06365 Physical and Environmental Protection Preventive
    Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 Physical and Environmental Protection Preventive
    Build critical facilities with water-resistant materials. CC ID 11679 Physical and Environmental Protection Preventive
    Monitor operational conditions at unmanned facilities. CC ID 06327 Physical and Environmental Protection Preventive
    Remotely control operational conditions at unmanned facilities. CC ID 11680 Technical Security Preventive
    Inspect and maintain the facility and supporting assets. CC ID 06345 Physical and Environmental Protection Preventive
    Test and inspect assets under full load working conditions. CC ID 06356 Testing Detective
    Define selection criteria for facility locations. CC ID 06351 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain facility demolition procedures. CC ID 16133 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain work environment requirements. CC ID 06613 Establish/Maintain Documentation Preventive
    Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 Physical and Environmental Protection Preventive
    Establish, implement, and maintain system cleanliness requirements. CC ID 06614 Establish/Maintain Documentation Preventive
    House system components in areas where the physical damage potential is minimized. CC ID 01623
    [{environmental hazards} Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. § 11.2.1 Control]
    Physical and Environmental Protection Preventive
    Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 Establish/Maintain Documentation Preventive
    Install and maintain fire protection equipment. CC ID 00728 Configuration Preventive
    Install and maintain fire suppression systems. CC ID 00729 Configuration Preventive
    Install and maintain smoke detectors. CC ID 15264 Physical and Environmental Protection Preventive
    Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 Physical and Environmental Protection Preventive
    Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 Physical and Environmental Protection Preventive
    Conduct fire drills, as necessary. CC ID 13985 Process or Activity Preventive
    Employ environmental protections. CC ID 12570 Process or Activity Preventive
    Monitor and review environmental protections. CC ID 12571 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 Establish/Maintain Documentation Preventive
    Install and maintain seismic detectors in critical facilities. CC ID 06364 Physical and Environmental Protection Detective
    Protect physical assets against static electricity, as necessary. CC ID 06363 Physical and Environmental Protection Preventive
    Install and maintain emergency lighting for use in a power failure. CC ID 01440 Physical and Environmental Protection Preventive
    Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367 Physical and Environmental Protection Preventive
    Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 Configuration Preventive
    Install and maintain an environment control monitoring system. CC ID 06370 Monitor and Evaluate Occurrences Detective
    Protect air intakes into the organizational facility. CC ID 02211 Physical and Environmental Protection Preventive
    Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 Configuration Preventive
    Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 Configuration Preventive
    Install and maintain a moisture control system as a part of the climate control system. CC ID 06694 Configuration Preventive
    Install and maintain hydrogen sensors, as necessary. CC ID 06705 Configuration Preventive
    Protect physical assets from water damage. CC ID 00730 Configuration Preventive
    Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 Communicate Preventive
    Install and maintain water detection devices. CC ID 11678 Physical and Environmental Protection Preventive
  • Privacy protection for information and data
    1006
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850
    [Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable. § 18.1.4 Control
    Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable. § 18.1.4 Control]
    Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Data and Information Management Preventive
    Establish and maintain privacy notices, as necessary. CC ID 13443 Establish/Maintain Documentation Preventive
    Include the purpose of the privacy notice in the privacy notice. CC ID 13526 Establish/Maintain Documentation Preventive
    Include the processing purpose in the privacy notice. CC ID 16543 Establish/Maintain Documentation Preventive
    Include contact information in the privacy notice. CC ID 14432 Establish/Maintain Documentation Preventive
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 Establish/Maintain Documentation Preventive
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Establish/Maintain Documentation Preventive
    Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 Establish/Maintain Documentation Preventive
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 Establish/Maintain Documentation Preventive
    Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 Establish/Maintain Documentation Preventive
    Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 Establish/Maintain Documentation Preventive
    Include the personal data collection categories in the privacy notice. CC ID 13457 Establish/Maintain Documentation Preventive
    Include disclosure exceptions in the privacy notice. CC ID 13447 Establish/Maintain Documentation Preventive
    Include the types of personal data disclosed in the privacy notice. CC ID 13446 Establish/Maintain Documentation Preventive
    Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 Establish/Maintain Documentation Preventive
    Specify the time frame that notice will be given. CC ID 00385 Establish/Maintain Documentation Preventive
    Include the information about the appeal process in the privacy notice. CC ID 15312 Establish/Maintain Documentation Preventive
    Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 Establish/Maintain Documentation Preventive
    Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 Communicate Preventive
    Deliver privacy notices to data subjects, as necessary. CC ID 13444 Communicate Preventive
    Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 Establish/Maintain Documentation Preventive
    Update privacy notices, as necessary. CC ID 13474 Communicate Preventive
    Redeliver privacy notices, as necessary. CC ID 14850 Communicate Preventive
    Deliver privacy notices to third parties, as necessary. CC ID 13473 Communicate Preventive
    Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 Communicate Preventive
    Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 Establish/Maintain Documentation Corrective
    Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 Establish/Maintain Documentation Preventive
    Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 Establish/Maintain Documentation Preventive
    Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 Establish/Maintain Documentation Preventive
    Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain opt-out notices. CC ID 13448 Establish/Maintain Documentation Preventive
    Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 Establish/Maintain Documentation Preventive
    Include the opt out method for data subjects in the opt-out notice. CC ID 13467 Establish/Maintain Documentation Preventive
    Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 Establish/Maintain Documentation Preventive
    Explain the right to opt out in the opt-out notice. CC ID 13462 Establish/Maintain Documentation Preventive
    Include the organization's right to share personal data in the opt-out notice. CC ID 13450 Establish/Maintain Documentation Preventive
    Deliver opt-out notices, as necessary. CC ID 13449 Communicate Preventive
    Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 Communicate Preventive
    Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 Communicate Preventive
    Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 Communicate Preventive
    Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 Communicate Preventive
    Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 Data and Information Management Preventive
    Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 Communicate Preventive
    Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 Communicate Preventive
    Provide the data subject with a notice of participation procedures. CC ID 06241 Establish/Maintain Documentation Preventive
    Deliver notices to the intended parties. CC ID 06240 Data and Information Management Preventive
    Notify data subjects about their privacy rights. CC ID 12989 Communicate Preventive
    Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 Communicate Preventive
    Require a data protection impact assessment when profiling the data subject. CC ID 12680 Process or Activity Detective
    Establish, implement, and maintain adequate openness procedures. CC ID 00377 Data and Information Management Preventive
    Provide public proof the organization participates in a privacy program. CC ID 12349 Communicate Preventive
    Publish a description of processing activities in an official register. CC ID 00379 Establish/Maintain Documentation Preventive
    Establish and maintain a records request manual. CC ID 00381 Establish/Maintain Documentation Preventive
    Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 Establish/Maintain Documentation Preventive
    Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 Behavior Preventive
    Define what is included in registration notices. CC ID 00386 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the registration notice. CC ID 16803 Establish Roles Preventive
    Include the verification method in the registration notice. CC ID 16798 Establish/Maintain Documentation Preventive
    Include the statutory authority in the registration notice. CC ID 16799 Establish/Maintain Documentation Preventive
    Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 Establish/Maintain Documentation Preventive
    Include a purpose specification description in the registration notice. CC ID 00388 Establish/Maintain Documentation Preventive
    Include information about the dispute resolution body in the registration notice. CC ID 16800 Establish/Maintain Documentation Preventive
    Include the data subject category being processed in the registration notice. CC ID 00389 Establish/Maintain Documentation Preventive
    Include the time period for data processing in the registration notice. CC ID 00390 Establish/Maintain Documentation Preventive
    Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 Establish/Maintain Documentation Preventive
    Provide legal authorities access to personal data, upon request. CC ID 06818 Data and Information Management Preventive
    Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 Process or Activity Preventive
    Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 Establish/Maintain Documentation Preventive
    Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 Establish/Maintain Documentation Preventive
    Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 Establish/Maintain Documentation Preventive
    Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 Process or Activity Preventive
    Document the countries where restricted data may be stored. CC ID 12750 Data and Information Management Preventive
    Protect the rights of students and their parents or legal representatives. CC ID 00222 Data and Information Management Preventive
    Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 Technical Security Preventive
    Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 Records Management Preventive
    Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 Records Management Preventive
    Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 Records Management Corrective
    Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 Records Management Corrective
    Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 Establish/Maintain Documentation Preventive
    Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 Establish/Maintain Documentation Preventive
    Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 Establish/Maintain Documentation Preventive
    Disclose educational data, as necessary. CC ID 00223 Data and Information Management Preventive
    Grant access to education records in support of educational program audits. CC ID 13032 Records Management Preventive
    Grant access to education records in support of external requirements. CC ID 13033 Records Management Preventive
    Disclose statements added to education records, as necessary. CC ID 12990 Communicate Preventive
    Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 Data and Information Management Preventive
    Disclose education records when written consent is received. CC ID 00224 Data and Information Management Preventive
    Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 Establish/Maintain Documentation Preventive
    Specify the purpose of the disclosure in the written consent. CC ID 13001 Establish/Maintain Documentation Preventive
    Specify which education records may be disclosed in the written consent. CC ID 13000 Establish/Maintain Documentation Preventive
    Document the conditions when consent is not required to disclose educational data. CC ID 00225 Establish/Maintain Documentation Preventive
    Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 Communicate Preventive
    Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 Communicate Preventive
    Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 Communicate Preventive
    Disclose educational data absent consent to other school officials. CC ID 00226 Data and Information Management Preventive
    Disclose educational data absent consent to another institution's school officials. CC ID 00227 Data and Information Management Preventive
    Disclose educational data absent consent in connection with financial aid. CC ID 00229 Data and Information Management Preventive
    Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 Data and Information Management Preventive
    Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 Communicate Preventive
    Disclose educational data absent consent to accrediting organizations. CC ID 00231 Data and Information Management Preventive
    Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 Data and Information Management Preventive
    Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 Data and Information Management Preventive
    Disclose educational data absent consent for a health and safety emergency. CC ID 00234 Data and Information Management Preventive
    Disclose educational data absent consent when it is merely directory information. CC ID 00235 Data and Information Management Preventive
    Disclose educational data absent consent to a crime victim. CC ID 00236 Data and Information Management Preventive
    Record the health and safety threats of students when disclosing personal data. CC ID 12997 Establish/Maintain Documentation Preventive
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Communicate Preventive
    Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 Communicate Preventive
    Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 Communicate Preventive
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 Communicate Preventive
    Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 Communicate Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Establish/Maintain Documentation Preventive
    Provide the data subject with the data retention period for personal data. CC ID 12587 Process or Activity Preventive
    Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 Process or Activity Preventive
    Provide the data subject with the adequacy decision. CC ID 12586 Process or Activity Preventive
    Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 Process or Activity Preventive
    Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 Process or Activity Preventive
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 Data and Information Management Preventive
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 Business Processes Preventive
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Business Processes Preventive
    Notify the data subject of the right to data portability. CC ID 12603 Process or Activity Preventive
    Provide the data subject with information about the right to erasure. CC ID 12602 Process or Activity Preventive
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 Establish/Maintain Documentation Preventive
    Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 Data and Information Management Preventive
    Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 Establish/Maintain Documentation Preventive
    Establish and maintain a disclosure accounting record. CC ID 13022 Establish/Maintain Documentation Preventive
    Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 Establish/Maintain Documentation Preventive
    Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 Establish/Maintain Documentation Preventive
    Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 Establish/Maintain Documentation Preventive
    Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 Establish/Maintain Documentation Preventive
    Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 Establish/Maintain Documentation Preventive
    Include the disclosure date in the disclosure accounting record. CC ID 07133 Establish/Maintain Documentation Preventive
    Include the disclosure recipient in the disclosure accounting record. CC ID 07134 Establish/Maintain Documentation Preventive
    Include the disclosure purpose in the disclosure accounting record. CC ID 07135 Establish/Maintain Documentation Preventive
    Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 Establish/Maintain Documentation Preventive
    Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 Establish/Maintain Documentation Preventive
    Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 Establish/Maintain Documentation Preventive
    Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 Establish/Maintain Documentation Preventive
    Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 Establish/Maintain Documentation Preventive
    Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 Establish/Maintain Documentation Preventive
    Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 Communicate Preventive
    Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 Establish/Maintain Documentation Preventive
    Provide shareholders access to electronic messages via electronic means. CC ID 11855 Process or Activity Preventive
    Make telephone directory information available to the public. CC ID 08698 Establish/Maintain Documentation Preventive
    Display warning screens and confirmation screens for all payment transactions. CC ID 06409 Technical Security Preventive
    Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 Establish/Maintain Documentation Preventive
    Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 Process or Activity Preventive
    Establish, implement, and maintain a privacy policy. CC ID 06281 Establish/Maintain Documentation Preventive
    Include the data subject's rights in the privacy policy. CC ID 16355 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a privacy policy model document. CC ID 14720 Establish/Maintain Documentation Preventive
    Document privacy policies in clearly written and easily understood language. CC ID 00376 Establish/Maintain Documentation Detective
    Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 Behavior Preventive
    Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 Establish/Maintain Documentation Preventive
    Write privacy notices in the official languages required by law. CC ID 16529 Establish/Maintain Documentation Preventive
    Define what is included in the privacy policy. CC ID 00404 Establish/Maintain Documentation Preventive
    Define the information being collected in the privacy policy. CC ID 13115 Establish/Maintain Documentation Preventive
    Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 Establish/Maintain Documentation Preventive
    Include the means by which information is collected in the privacy policy. CC ID 13114 Establish/Maintain Documentation Preventive
    Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 Establish/Maintain Documentation Corrective
    Include roles and responsibilities in the privacy policy. CC ID 14669 Establish/Maintain Documentation Preventive
    Include management commitment in the privacy policy. CC ID 14668 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the privacy policy. CC ID 14667 Establish/Maintain Documentation Preventive
    Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 Establish/Maintain Documentation Preventive
    Include compliance requirements in the privacy policy. CC ID 14666 Establish/Maintain Documentation Preventive
    Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 Establish/Maintain Documentation Preventive
    Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 Establish/Maintain Documentation Corrective
    Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 Establish/Maintain Documentation Preventive
    Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 Establish/Maintain Documentation Preventive
    Include a complaint form in the privacy policy. CC ID 12364 Establish/Maintain Documentation Preventive
    Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 Establish/Maintain Documentation Preventive
    Include the processing purpose in the privacy policy. CC ID 00406 Establish/Maintain Documentation Preventive
    Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 Establish/Maintain Documentation Preventive
    Include the data subject categories being processed in the privacy policy. CC ID 00407 Establish/Maintain Documentation Preventive
    Define the retention period for collected information in the privacy policy. CC ID 13116 Establish/Maintain Documentation Preventive
    Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 Establish/Maintain Documentation Preventive
    Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 Establish/Maintain Documentation Preventive
    Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 Establish/Maintain Documentation Preventive
    Include instructions on how to opt-out in the privacy policy. CC ID 00411 Establish/Maintain Documentation Preventive
    Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 Establish/Maintain Documentation Preventive
    Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 Establish/Maintain Documentation Preventive
    Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 Establish/Maintain Documentation Preventive
    Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 Establish/Maintain Documentation Preventive
    Post the privacy policy in an easily seen location. CC ID 00401 Establish/Maintain Documentation Preventive
    Define who will receive the privacy policy. CC ID 00402 Establish/Maintain Documentation Preventive
    Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 Communicate Preventive
    Establish, implement, and maintain privacy procedures. CC ID 14665 Establish/Maintain Documentation Preventive
    Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 Communicate Preventive
    Establish, implement, and maintain a privacy plan. CC ID 14672 Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the privacy plan. CC ID 14705 Process or Activity Preventive
    Approve the privacy plan. CC ID 14700 Business Processes Preventive
    Include privacy requirements in the privacy plan. CC ID 14699 Establish/Maintain Documentation Preventive
    Include the information types in the privacy plan. CC ID 14695 Establish/Maintain Documentation Preventive
    Include threats in the privacy plan. CC ID 14694 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the privacy plan. CC ID 14702 Establish/Maintain Documentation Preventive
    Include a description of the operational context in the privacy plan. CC ID 14692 Establish/Maintain Documentation Preventive
    Include risk assessment results in the privacy plan. CC ID 14701 Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the privacy plan. CC ID 14690 Establish/Maintain Documentation Preventive
    Include security controls in the privacy plan. CC ID 14681 Establish/Maintain Documentation Preventive
    Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 Communicate Preventive
    Include a description of the operational environment in the privacy plan. CC ID 14679 Establish/Maintain Documentation Preventive
    Include network diagrams in the privacy plan. CC ID 14678 Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a privacy report. CC ID 14754 Establish/Maintain Documentation Preventive
    Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 Communicate Preventive
    Protect private communications in keeping with compliance requirements. CC ID 14334 Business Processes Preventive
    Disseminate private communications when required by law. CC ID 14335 Communicate Corrective
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data request procedures. CC ID 16546 Establish/Maintain Documentation Preventive
    Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 Human Resources Management Preventive
    Refrain from charging a fee to implement an opt-out request. CC ID 13877 Business Processes Preventive
    Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 Establish/Maintain Documentation Preventive
    Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 Establish/Maintain Documentation Preventive
    Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 Establish/Maintain Documentation Preventive
    Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 Establish/Maintain Documentation Preventive
    Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 Establish/Maintain Documentation Preventive
    Include the identity of the data subject in the disclosure authorization form. CC ID 13436 Establish/Maintain Documentation Preventive
    Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 Establish/Maintain Documentation Preventive
    Include how personal data will be used in the disclosure authorization form. CC ID 13441 Establish/Maintain Documentation Preventive
    Include agreement termination information in the disclosure authorization form. CC ID 13437 Establish/Maintain Documentation Preventive
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 Business Processes Preventive
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Business Processes Preventive
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 Data and Information Management Preventive
    Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 Business Processes Preventive
    Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 Business Processes Preventive
    Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 Data and Information Management Preventive
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 Business Processes Preventive
    Confirm the individual's identity before granting an opt-out request. CC ID 16813 Process or Activity Preventive
    Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 Establish/Maintain Documentation Preventive
    Allow consent requests to be provided in any official languages. CC ID 16530 Business Processes Preventive
    Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 Communicate Preventive
    Collect and retain disclosure authorizations for each data subject. CC ID 13434 Records Management Preventive
    Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 Data and Information Management Preventive
    Refrain from obtaining consent through deception. CC ID 13556 Data and Information Management Preventive
    Give individuals the ability to change the uses of their personal data. CC ID 00469 Data and Information Management Preventive
    Notify data subjects of the implications of withdrawing consent. CC ID 13551 Data and Information Management Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Establish/Maintain Documentation Preventive
    Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 Human Resources Management Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Establish Roles Preventive
    Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 Human Resources Management Preventive
    Notify the supervisory authority. CC ID 00472 Behavior Preventive
    Establish, implement, and maintain approval applications. CC ID 16778 Establish/Maintain Documentation Preventive
    Define the requirements for approving or denying approval applications. CC ID 16780 Business Processes Preventive
    Submit approval applications to the supervisory authority. CC ID 16627 Communicate Preventive
    Include required information in the approval application. CC ID 16628 Establish/Maintain Documentation Preventive
    Extend the time limit for approving or denying approval applications. CC ID 16779 Business Processes Preventive
    Approve the approval application unless applicant has been convicted. CC ID 16603 Process or Activity Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 Process or Activity Preventive
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Communicate Preventive
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 Communicate Corrective
    Cooperate with Data Protection Authorities. CC ID 06870 Data and Information Management Preventive
    Submit a safe harbor self-certification letter. CC ID 06871 Establish/Maintain Documentation Preventive
    Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 Human Resources Management Preventive
    Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 Establish/Maintain Documentation Preventive
    Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 Establish/Maintain Documentation Preventive
    Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 Establish/Maintain Documentation Preventive
    Include data subject's rights in the Binding Corporate Rules. CC ID 12596 Establish/Maintain Documentation Preventive
    Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 Establish/Maintain Documentation Preventive
    Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 Establish/Maintain Documentation Preventive
    Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 Establish/Maintain Documentation Preventive
    Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 Establish/Maintain Documentation Preventive
    Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 Establish/Maintain Documentation Preventive
    Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 Establish/Maintain Documentation Preventive
    Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 Establish/Maintain Documentation Preventive
    Include complaint procedures in the Binding Corporate Rules. CC ID 12613 Establish/Maintain Documentation Preventive
    Include the data transfers in the Binding Corporate Rules. CC ID 12590 Establish/Maintain Documentation Preventive
    Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 Establish/Maintain Documentation Preventive
    Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 Establish/Maintain Documentation Preventive
    Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 Establish/Maintain Documentation Preventive
    Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 Establish/Maintain Documentation Preventive
    Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 Establish/Maintain Documentation Preventive
    Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 Establish/Maintain Documentation Preventive
    Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 Establish/Maintain Documentation Preventive
    Notify the data controller of any changes in data processors. CC ID 12648 Communicate Preventive
    Establish, implement, and maintain Data Processing Contracts. CC ID 12650 Establish/Maintain Documentation Preventive
    Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 Establish/Maintain Documentation Preventive
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 Establish/Maintain Documentation Preventive
    Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Establish/Maintain Documentation Preventive
    Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 Establish/Maintain Documentation Preventive
    Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 Establish/Maintain Documentation Preventive
    Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 Establish/Maintain Documentation Preventive
    Include the duration of processing in the Data Processing Contract. CC ID 14935 Establish/Maintain Documentation Preventive
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Establish/Maintain Documentation Preventive
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 Establish/Maintain Documentation Preventive
    Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 Establish/Maintain Documentation Preventive
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 Establish/Maintain Documentation Preventive
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 Human Resources Management Preventive
    Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 Establish/Maintain Documentation Preventive
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Establish/Maintain Documentation Preventive
    Display or print the least amount of personal data necessary. CC ID 04643 Data and Information Management Preventive
    Redact confidential information from public information, as necessary. CC ID 06872 Data and Information Management Preventive
    Notify the data subject of the collection purpose. CC ID 00095 Behavior Preventive
    Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 Data and Information Management Preventive
    Document the law that requires restricted data to be collected. CC ID 00103 Establish/Maintain Documentation Preventive
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Behavior Preventive
    Notify the data subject of changes to personal data use. CC ID 00105 Behavior Preventive
    Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 Establish/Maintain Documentation Preventive
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Establish/Maintain Documentation Preventive
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 Establish/Maintain Documentation Preventive
    Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 Establish/Maintain Documentation Preventive
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Behavior Preventive
    Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 Establish/Maintain Documentation Preventive
    Dispose of media and restricted data in a timely manner. CC ID 00125 Data and Information Management Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Records Management Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Communicate Preventive
    Establish, implement, and maintain data access procedures. CC ID 00414 Establish/Maintain Documentation Preventive
    Allow data subjects to submit data requests. CC ID 16545 Process or Activity Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Data and Information Management Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Data and Information Management Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Data and Information Management Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Data and Information Management Preventive
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Data and Information Management Preventive
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Establish/Maintain Documentation Preventive
    Define what is to be included in a data access request. CC ID 08699 Establish/Maintain Documentation Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Business Processes Preventive
    Respond to data access requests in a timely manner. CC ID 00421 Behavior Preventive
    Delay responding to data access requests, as necessary. CC ID 15504 Data and Information Management Preventive
    Expedite the processing of data access requests, as necessary. CC ID 15496 Data and Information Management Preventive
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 Behavior Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Behavior Detective
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Business Processes Preventive
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Process or Activity Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Establish/Maintain Documentation Preventive
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Data and Information Management Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Data and Information Management Preventive
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Establish/Maintain Documentation Preventive
    Submit personal data removal requests in writing. CC ID 11973 Records Management Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Establish/Maintain Documentation Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Records Management Corrective
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Establish/Maintain Documentation Preventive
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Process or Activity Preventive
    Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 Establish/Maintain Documentation Preventive
    Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 Data and Information Management Preventive
    Disclose de-identified data, as necessary. CC ID 13034 Communicate Preventive
    Notify the data subject after personal data is used or disclosed. CC ID 06247 Behavior Preventive
    Refrain from processing restricted data, as necessary. CC ID 12551 Records Management Preventive
    Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 Process or Activity Preventive
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 Process or Activity Preventive
    Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 Business Processes Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 Process or Activity Detective
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 Process or Activity Preventive
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 Data and Information Management Preventive
    Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 Data and Information Management Preventive
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Business Processes Preventive
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Business Processes Preventive
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Business Processes Preventive
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Business Processes Preventive
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Business Processes Preventive
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Business Processes Preventive
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Business Processes Preventive
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Business Processes Preventive
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Business Processes Preventive
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Business Processes Preventive
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Process or Activity Preventive
    Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 Establish/Maintain Documentation Preventive
    Include the data protection officer's contact information in the record of processing activities. CC ID 12640 Records Management Preventive
    Include the data processor's contact information in the record of processing activities. CC ID 12657 Records Management Preventive
    Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 Records Management Preventive
    Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 Records Management Preventive
    Include a description of the data subject categories in the record of processing activities. CC ID 12659 Records Management Preventive
    Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 Records Management Preventive
    Include the personal data processing categories in the record of processing activities. CC ID 12661 Records Management Preventive
    Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 Records Management Preventive
    Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 Records Management Preventive
    Include a description of the personal data categories in the record of processing activities. CC ID 12660 Records Management Preventive
    Include the joint data controller's contact information in the record of processing activities. CC ID 12639 Records Management Preventive
    Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 Records Management Preventive
    Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 Records Management Preventive
    Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 Records Management Preventive
    Include the data controller's contact information in the record of processing activities. CC ID 12637 Records Management Preventive
    Process restricted data lawfully and carefully. CC ID 00086 Establish Roles Preventive
    Analyze requirements for processing personal data in contracts. CC ID 12550 Investigate Detective
    Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 Technical Security Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Data and Information Management Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Communicate Corrective
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Records Management Preventive
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Data and Information Management Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Records Management Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Process or Activity Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Records Management Preventive
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Data and Information Management Preventive
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Establish/Maintain Documentation Preventive
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Data and Information Management Preventive
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Establish/Maintain Documentation Preventive
    Define and implement valid authorization control requirements. CC ID 06258 Establish/Maintain Documentation Preventive
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Data and Information Management Preventive
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Data and Information Management Preventive
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Data and Information Management Preventive
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Data and Information Management Preventive
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Data and Information Management Preventive
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Data and Information Management Preventive
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Data and Information Management Preventive
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Data and Information Management Preventive
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Data and Information Management Preventive
    Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 Data and Information Management Preventive
    Process traffic data in a controlled manner. CC ID 00130 Data and Information Management Preventive
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Data and Information Management Preventive
    Process personal data when it is publicly accessible. CC ID 00187 Data and Information Management Preventive
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Data and Information Management Preventive
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010 Business Processes Preventive
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Communicate Corrective
    Process personal data for the purposes of employment. CC ID 16527 Data and Information Management Preventive
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Data and Information Management Preventive
    Process personal data for debt collection or benefit payments. CC ID 00190 Data and Information Management Preventive
    Process personal data in order to advance the public interest. CC ID 00191 Data and Information Management Preventive
    Process personal data for surveys, archives, or scientific research. CC ID 00192 Data and Information Management Preventive
    Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 Data and Information Management Preventive
    Process personal data for academic purposes or religious purposes. CC ID 00194 Data and Information Management Preventive
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Data and Information Management Preventive
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Data and Information Management Preventive
    Follow legal obligations while processing personal data. CC ID 04794 Data and Information Management Preventive
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Data and Information Management Preventive
    Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 Data and Information Management Preventive
    Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 Process or Activity Preventive
    Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 Data and Information Management Preventive
    Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 Data and Information Management Preventive
    Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 Data and Information Management Preventive
    Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 Data and Information Management Preventive
    Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 Data and Information Management Preventive
    Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 Data and Information Management Preventive
    Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 Data and Information Management Preventive
    Process personal data absent consent in order to perform a contract. CC ID 13586 Data and Information Management Preventive
    Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 Data and Information Management Preventive
    Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 Data and Information Management Preventive
    Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 Data and Information Management Preventive
    Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 Data and Information Management Preventive
    Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 Data and Information Management Preventive
    Process personal data absent consent when it is needed by law. CC ID 13577 Data and Information Management Preventive
    Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 Data and Information Management Preventive
    Process personal data absent consent when it is from publicly available information. CC ID 13576 Data and Information Management Preventive
    Process personal data absent consent to create a credit report. CC ID 15288 Data and Information Management Preventive
    Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 Data and Information Management Preventive
    Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 Data and Information Management Preventive
    Process personal data absent consent when produced for business purposes. CC ID 13563 Data and Information Management Preventive
    Process personal data absent consent for handling insurance claims. CC ID 13561 Data and Information Management Preventive
    Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 Data and Information Management Preventive
    Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 Data and Information Management Preventive
    Process personal data absent consent for life-threatening emergencies. CC ID 13558 Data and Information Management Preventive
    Process personal data absent consent for reasonable investigative purposes. CC ID 13557 Data and Information Management Preventive
    Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 Behavior Preventive
    Define security breach notification requirement exceptions. CC ID 04797 Establish/Maintain Documentation Preventive
    Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 Communicate Corrective
    Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 Records Management Preventive
    Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 Communicate Corrective
    Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 Data and Information Management Preventive
    Define what restricted data is not required to be disclosed absent consent. CC ID 00134 Establish/Maintain Documentation Preventive
    Define the exceptions to disclosure absent consent. CC ID 00135 Establish/Maintain Documentation Preventive
    Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 Data and Information Management Detective
    Define opt-out exceptions for disclosing restricted data. CC ID 00159 Establish/Maintain Documentation Preventive
    Define how a data subject may give consent. CC ID 00160 Establish/Maintain Documentation Preventive
    Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 Data and Information Management Preventive
    Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 Communicate Preventive
    Disclose restricted data absent consent when the law does not require consent. CC ID 00136 Data and Information Management Preventive
    Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 Data and Information Management Preventive
    Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 Data and Information Management Preventive
    Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 Data and Information Management Preventive
    Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 Data and Information Management Preventive
    Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 Data and Information Management Preventive
    Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 Data and Information Management Preventive
    Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 Data and Information Management Preventive
    Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 Data and Information Management Preventive
    Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 Data and Information Management Preventive
    Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 Data and Information Management Preventive
    Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 Data and Information Management Preventive
    Disclose personal data absent consent to create a credit report. CC ID 15297 Data and Information Management Preventive
    Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 Data and Information Management Preventive
    Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 Data and Information Management Preventive
    Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 Data and Information Management Preventive
    Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 Data and Information Management Preventive
    Disclose personal data absent consent for handling insurance claims. CC ID 13585 Data and Information Management Preventive
    Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 Data and Information Management Preventive
    Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 Data and Information Management Preventive
    Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 Data and Information Management Preventive
    Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 Data and Information Management Preventive
    Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 Data and Information Management Preventive
    Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 Data and Information Management Preventive
    Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 Data and Information Management Preventive
    Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 Data and Information Management Preventive
    Disclose restricted data absent consent in order to perform a contract. CC ID 00139 Data and Information Management Preventive
    Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 Data and Information Management Preventive
    Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 Data and Information Management Preventive
    Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 Data and Information Management Preventive
    Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 Data and Information Management Preventive
    Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 Data and Information Management Preventive
    Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 Data and Information Management Preventive
    Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 Data and Information Management Preventive
    Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 Data and Information Management Preventive
    Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 Data and Information Management Preventive
    Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 Data and Information Management Preventive
    Disclose restricted data absent consent for public economic interests. CC ID 00148 Data and Information Management Preventive
    Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 Data and Information Management Preventive
    Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 Data and Information Management Preventive
    Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 Data and Information Management Preventive
    Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 Data and Information Management Preventive
    Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 Data and Information Management Preventive
    Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 Data and Information Management Preventive
    Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 Data and Information Management Preventive
    Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 Data and Information Management Preventive
    Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 Establish/Maintain Documentation Detective
    Disclose restricted data absent consent when it is needed by law. CC ID 00163 Data and Information Management Preventive
    Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 Data and Information Management Preventive
    Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 Data and Information Management Preventive
    Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 Data and Information Management Preventive
    Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 Data and Information Management Preventive
    Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 Data and Information Management Preventive
    Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 Communicate Preventive
    Establish, implement, and maintain restricted data retention procedures. CC ID 00167 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Establish/Maintain Documentation Preventive
    Capture personal data removal requests. CC ID 13507 Communicate Preventive
    Remove personal data from records after receiving a personal data removal request. CC ID 11972 Records Management Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Process or Activity Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Process or Activity Preventive
    Dispose of personal data removal requests, as necessary. CC ID 13512 Business Processes Preventive
    Limit the redisclosure and reuse of restricted data. CC ID 00168 Data and Information Management Preventive
    Refrain from redisclosing or reusing restricted data. CC ID 00169 Data and Information Management Preventive
    Document the redisclosing restricted data exceptions. CC ID 00170 Establish/Maintain Documentation Preventive
    Redisclose restricted data when the data subject consents. CC ID 00171 Data and Information Management Preventive
    Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 Data and Information Management Preventive
    Redisclose restricted data in order to protect public revenue. CC ID 00173 Data and Information Management Preventive
    Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 Data and Information Management Preventive
    Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 Data and Information Management Preventive
    Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 Data and Information Management Preventive
    Redisclose restricted data in order to preserve human life at sea. CC ID 00177 Data and Information Management Preventive
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 Data and Information Management Preventive
    Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 Data and Information Management Preventive
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Data and Information Management Preventive
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Data and Information Management Preventive
    Process Personal Identification Numbers with consent. CC ID 00239 Data and Information Management Preventive
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Behavior Preventive
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Data and Information Management Preventive
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Data and Information Management Preventive
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Data and Information Management Preventive
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Data and Information Management Preventive
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Establish/Maintain Documentation Preventive
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Data and Information Management Preventive
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Data and Information Management Preventive
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Data and Information Management Preventive
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Data and Information Management Preventive
    Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 Data and Information Management Preventive
    Establish, implement, and maintain data disclosure procedures. CC ID 00133 Establish/Maintain Documentation Preventive
    Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 Data and Information Management Preventive
    Review personal data disclosure requests. CC ID 07129 Data and Information Management Preventive
    Notify the data subject of the disclosure purpose. CC ID 15268 Communicate Preventive
    Establish, implement, and maintain data request denial procedures. CC ID 00434 Establish/Maintain Documentation Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 Data and Information Management Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Data and Information Management Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Data and Information Management Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Data and Information Management Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Data and Information Management Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Data and Information Management Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 Data and Information Management Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Data and Information Management Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Data and Information Management Preventive
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Process or Activity Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Data and Information Management Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Data and Information Management Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Data and Information Management Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Data and Information Management Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Data and Information Management Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Data and Information Management Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Data and Information Management Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Data and Information Management Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Data and Information Management Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Data and Information Management Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Data and Information Management Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Data and Information Management Preventive
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 Data and Information Management Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Communicate Preventive
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Data and Information Management Preventive
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Process or Activity Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 Data and Information Management Preventive
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Data and Information Management Preventive
    Notify that data subject of any exclusions to requested personal data. CC ID 15271 Communicate Preventive
    Provide data or records in a reasonable time frame. CC ID 00429 Data and Information Management Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 Communicate Preventive
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Data and Information Management Preventive
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Data and Information Management Preventive
    Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 Data and Information Management Preventive
    Provide data at a cost that is not excessive. CC ID 00430 Data and Information Management Preventive
    Provide records or data in a reasonable manner. CC ID 00431 Data and Information Management Preventive
    Provide personal data in a form that is intelligible. CC ID 00432 Data and Information Management Preventive
    Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Data and Information Management Preventive
    Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Data and Information Management Preventive
    Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 Data and Information Management Preventive
    Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 Establish/Maintain Documentation Preventive
    Include cookie management in the privacy framework. CC ID 13809 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain cookie management procedures. CC ID 13810 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Establish/Maintain Documentation Preventive
    Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 Data and Information Management Preventive
    Refrain from collecting personal data, as necessary. CC ID 15269 Data and Information Management Preventive
    Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 Business Processes Detective
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Establish/Maintain Documentation Preventive
    Use personal data for specified purposes. CC ID 11831 Data and Information Management Preventive
    Post the collection purpose. CC ID 00101 Establish/Maintain Documentation Preventive
    Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 Data and Information Management Preventive
    Document each individual's personal data collection consent preferences. CC ID 06945 Establish/Maintain Documentation Preventive
    Provide explicit consent that is clear and unambiguous. CC ID 00181 Data and Information Management Preventive
    Allow individuals to change their personal data collection consent preferences. CC ID 06946 Data and Information Management Preventive
    Adhere to each individual's personal data collection consent preferences. CC ID 06947 Data and Information Management Preventive
    Notify the data subject of the source of collected personal data. CC ID 00083 Behavior Preventive
    Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 Data and Information Management Preventive
    Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 Data and Information Management Preventive
    Establish and maintain a personal data definition. CC ID 00028 Establish/Maintain Documentation Preventive
    Include an individual's name in the personal data definition. CC ID 04710 Data and Information Management Preventive
    Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 Data and Information Management Preventive
    Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 Data and Information Management Preventive
    Include an individual's signature in the personal data definition. CC ID 04711 Data and Information Management Preventive
    Include an individual's date of birth in the personal data definition. CC ID 04770 Data and Information Management Preventive
    Include the number of children in the personal data definition. CC ID 13759 Establish/Maintain Documentation Preventive
    Include the individual's religion in the personal data definition. CC ID 13765 Establish/Maintain Documentation Preventive
    Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 Data and Information Management Preventive
    Include an individual's biometric data in the personal data definition. CC ID 04698 Data and Information Management Preventive
    Include an individual's photographic image in the personal data definition. CC ID 04779 Data and Information Management Preventive
    Include an individual's fingerprints in the personal data definition. CC ID 04689 Data and Information Management Preventive
    Include an individual's address in the personal data definition. CC ID 04687 Data and Information Management Preventive
    Include an individual's telephone number in the personal data definition. CC ID 04688 Data and Information Management Preventive
    Include an individual's fax number in the personal data definition. CC ID 07120 Data and Information Management Preventive
    Include an individual's political party affiliation in the personal data definition. CC ID 13764 Establish/Maintain Documentation Preventive
    Include an individual's license plate number in the personal data definition. CC ID 13763 Establish/Maintain Documentation Preventive
    Include an individual's financial account number in the personal data definition. CC ID 04692 Data and Information Management Preventive
    Include an individual's account balances in the personal data definition. CC ID 13770 Establish/Maintain Documentation Preventive
    Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 Data and Information Management Preventive
    Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 Data and Information Management Preventive
    Include an individual's logon credentials in the personal data definition. CC ID 13771 Establish/Maintain Documentation Preventive
    Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 Data and Information Management Preventive
    Include an individual's passport number in the personal data definition. CC ID 04713 Data and Information Management Preventive
    Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 Data and Information Management Preventive
    Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 Data and Information Management Preventive
    Include an individual's military identification number in the personal data definition. CC ID 13083 Establish/Maintain Documentation Preventive
    Include an individual's e-mail address in the personal data definition. CC ID 04696 Data and Information Management Preventive
    Include electronic signatures in the personal data definition. CC ID 04697 Data and Information Management Preventive
    Include an individual's payment card information in the personal data definition. CC ID 04751 Data and Information Management Preventive
    Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 Data and Information Management Preventive
    Include an individual's payment card service code in the personal data definition. CC ID 04753 Data and Information Management Preventive
    Include an individual's payment card expiration date in the personal data definition. CC ID 04755 Data and Information Management Preventive
    Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 Data and Information Management Preventive
    Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 Data and Information Management Preventive
    Include an individual's medical history in the personal data definition. CC ID 04701 Data and Information Management Preventive
    Include an individual's medical treatment in the personal data definition. CC ID 04702 Data and Information Management Preventive
    Include an individual's medical diagnosis in the personal data definition. CC ID 04703 Data and Information Management Preventive
    Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 Data and Information Management Preventive
    Include an individual's medical record numbers in the personal data definition. CC ID 07121 Data and Information Management Preventive
    Include an individual's health insurance information in the personal data definition. CC ID 04705 Data and Information Management Preventive
    Include an individual's health insurance policy number in the personal data definition. CC ID 04706 Data and Information Management Preventive
    Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 Data and Information Management Preventive
    Include an individual's education information in the personal data definition. CC ID 04714 Data and Information Management Preventive
    Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 Data and Information Management Preventive
    Include an individual's employment information in the personal data definition. CC ID 04715 Data and Information Management Preventive
    Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 Data and Information Management Preventive
    Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 Data and Information Management Preventive
    Include an individual's employment history in the personal data definition. CC ID 04716 Data and Information Management Preventive
    Include an individual's place of employment in the personal data definition. CC ID 04765 Data and Information Management Preventive
    Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 Data and Information Management Preventive
    Include an individual's property information in the personal data definition. CC ID 04780 Data and Information Management Preventive
    Include an individual's property title in the personal data definition. CC ID 04781 Data and Information Management Preventive
    Include an individual's vehicle registration in the personal data definition. CC ID 04782 Data and Information Management Preventive
    Include hardware asset identification information in the personal data definition. CC ID 07123 Data and Information Management Preventive
    Include MAC addresses in the personal data definition. CC ID 04778 Data and Information Management Preventive
    Include Internet Protocol addresses in the personal data definition. CC ID 04777 Data and Information Management Preventive
    Include asset serial numbers in the personal data definition. CC ID 07124 Data and Information Management Preventive
    Include Uniform Resource Locators in the personal data definition. CC ID 07125 Data and Information Management Preventive
    Refrain from including publicly available information in the personal data definition. CC ID 13084 Establish/Maintain Documentation Preventive
    Define specially restricted data. CC ID 00037 Data and Information Management Preventive
    Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 Data and Information Management Preventive
    Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 Data and Information Management Preventive
    Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 Data and Information Management Preventive
    Implement a nondiscrimination principle. CC ID 00081 Data and Information Management Preventive
    Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 Data and Information Management Preventive
    Preserve each individual's right to human dignity. CC ID 00082 Data and Information Management Preventive
    Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 Data and Information Management Preventive
    Employ a random number generator to create authenticators. CC ID 13782 Technical Security Preventive
    Collect Personal Identification Numbers with the individual's consent. CC ID 00059 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 Data and Information Management Preventive
    Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 Behavior Preventive
    Manage health data collection. CC ID 00050 Data and Information Management Preventive
    Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 Data and Information Management Preventive
    Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 Data and Information Management Preventive
    Collect Individually Identifiable Health Information for research. CC ID 00054 Data and Information Management Preventive
    Remove personal data before disclosing health data. CC ID 00055 Data and Information Management Preventive
    Give special attention to collecting children's data. CC ID 00038 Data and Information Management Preventive
    Use simple understandable language to collect information from children. CC ID 00039 Behavior Preventive
    Notify parents or legal representatives of what information is collected from children. CC ID 00040 Establish/Maintain Documentation Preventive
    Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 Data and Information Management Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 Data and Information Management Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Establish/Maintain Documentation Preventive
    Collect personal data directly from the data subject. CC ID 00011 Data and Information Management Preventive
    Create and manage user account aliases to maintain pseudonymity. CC ID 04549 Data and Information Management Preventive
    Provide unlinkability for users and resources. CC ID 04550 Data and Information Management Preventive
    Provide unobservability of users and resources. CC ID 04551 Technical Security Preventive
    Confirm the data quality of personal data collected from third parties. CC ID 13510 Investigate Detective
    Collect restricted data in a fair and lawful manner. CC ID 00010 Data and Information Management Preventive
    Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 Data and Information Management Preventive
    Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 Data and Information Management Preventive
    Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 Data and Information Management Preventive
    Collect personal data absent consent in order to make a disclosure. CC ID 13550 Data and Information Management Preventive
    Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 Data and Information Management Preventive
    Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 Data and Information Management Preventive
    Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 Data and Information Management Preventive
    Collect personal data absent consent for handling insurance claims. CC ID 13543 Data and Information Management Preventive
    Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 Data and Information Management Preventive
    Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 Data and Information Management Preventive
    Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 Data and Information Management Preventive
    Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 Data and Information Management Preventive
    Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 Data and Information Management Preventive
    Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 Data and Information Management Preventive
    Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 Data and Information Management Preventive
    Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 Data and Information Management Preventive
    Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 Data and Information Management Preventive
    Collect restricted data absent consent from publicly available information. CC ID 00019 Data and Information Management Preventive
    Collect restricted data absent consent when needed by law. CC ID 00020 Data and Information Management Preventive
    Collect personal data absent consent to create a credit report. CC ID 15287 Data and Information Management Preventive
    Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 Data and Information Management Preventive
    Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 Data and Information Management Preventive
    Collect the minimum amount of restricted data necessary. CC ID 00078 Data and Information Management Preventive
    Collect restricted data in a proper information framework. CC ID 00009 Data and Information Management Preventive
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 Data and Information Management Preventive
    Collect restricted data when required by law. CC ID 00031 Data and Information Management Preventive
    Collect restricted data to prevent life-threatening emergencies. CC ID 00032 Data and Information Management Preventive
    Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 Data and Information Management Preventive
    Collect restricted data for legal purposes. CC ID 00036 Data and Information Management Preventive
    Review the methods for collecting personal data, as necessary. CC ID 13511 Investigate Detective
    Provide the data subject with information about the data controller during the collection process. CC ID 00023 Establish/Maintain Documentation Preventive
    Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 Communicate Preventive
    Provide the data subject with the data collector's name and contact information. CC ID 00024 Establish/Maintain Documentation Preventive
    Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 Establish/Maintain Documentation Preventive
    Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 Establish/Maintain Documentation Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Data and Information Management Preventive
    Protect electronic messaging information. CC ID 12022
    [Information involved in electronic messaging should be appropriately protected. § 13.2.3 Control]
    Technical Security Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Data and Information Management Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Configuration Preventive
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Testing Detective
    Store payment card data in secure chips, if possible. CC ID 13065 Configuration Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Configuration Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Technical Security Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Data and Information Management Preventive
    Log the disclosure of personal data. CC ID 06628 Log Management Preventive
    Log the modification of personal data. CC ID 11844 Log Management Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Technical Security Preventive
    Implement security measures to protect personal data. CC ID 13606 Technical Security Preventive
    Implement physical controls to protect personal data. CC ID 00355 Testing Preventive
    Limit data leakage. CC ID 00356 Data and Information Management Preventive
    Conduct personal data risk assessments. CC ID 00357 Testing Detective
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Business Processes Preventive
    Establish, implement, and maintain suspicious document procedures. CC ID 04852 Establish/Maintain Documentation Detective
    Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 Data and Information Management Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Data and Information Management Detective
    Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 Monitor and Evaluate Occurrences Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Investigate Detective
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Behavior Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Data and Information Management Detective
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Log Management Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Monitor and Evaluate Occurrences Corrective
    Log dates for account name changes or address changes. CC ID 04876 Log Management Detective
    Review accounts that are changed for additional user requests. CC ID 11846 Monitor and Evaluate Occurrences Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Data and Information Management Detective
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Acquisition/Sale of Assets or Services Preventive
    Search the Internet for evidence of data leakage. CC ID 10419 Process or Activity Detective
    Alert appropriate personnel when data leakage is detected. CC ID 14715 Process or Activity Preventive
    Review monitored websites for data leakage. CC ID 10593 Monitor and Evaluate Occurrences Detective
    Take appropriate action when a data leakage is discovered. CC ID 14716 Process or Activity Corrective
    Include text about data ownership in the data handling policy. CC ID 15720 Data and Information Management Preventive
    Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain call metadata controls. CC ID 04790 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 Data and Information Management Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Data and Information Management Preventive
    Store de-identifying code and re-identifying code separately. CC ID 16535 Data and Information Management Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Data and Information Management Preventive
    Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 Communicate Preventive
    Establish, implement, and maintain data handling procedures. CC ID 11756 Establish/Maintain Documentation Preventive
    Define personal data that falls under breach notification rules. CC ID 00800 Establish/Maintain Documentation Preventive
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Data and Information Management Preventive
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Data and Information Management Preventive
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Data and Information Management Preventive
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Data and Information Management Preventive
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Data and Information Management Preventive
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Data and Information Management Preventive
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Data and Information Management Preventive
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Data and Information Management Preventive
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Data and Information Management Preventive
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Data and Information Management Preventive
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Data and Information Management Preventive
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Data and Information Management Preventive
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Data and Information Management Preventive
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Data and Information Management Preventive
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Data and Information Management Preventive
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Data and Information Management Preventive
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Data and Information Management Preventive
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Data and Information Management Preventive
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Data and Information Management Preventive
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Data and Information Management Preventive
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Data and Information Management Preventive
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Data and Information Management Preventive
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Data and Information Management Preventive
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Data and Information Management Preventive
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Data and Information Management Preventive
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Data and Information Management Preventive
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Data and Information Management Preventive
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Data and Information Management Preventive
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Data and Information Management Preventive
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Data and Information Management Preventive
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Data and Information Management Preventive
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Data and Information Management Preventive
    Define an out of scope privacy breach. CC ID 04677 Establish/Maintain Documentation Preventive
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Business Processes Preventive
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Monitor and Evaluate Occurrences Preventive
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Monitor and Evaluate Occurrences Preventive
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Monitor and Evaluate Occurrences Preventive
    Conduct internal data processing audits. CC ID 00374 Testing Detective
    Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 Communicate Preventive
    Establish, implement, and maintain a personal data transfer program. CC ID 00307 Establish/Maintain Documentation Preventive
    Obtain consent from an individual prior to transferring personal data. CC ID 06948 Data and Information Management Preventive
    Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 Establish/Maintain Documentation Preventive
    Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 Business Processes Preventive
    Notify data subjects when their personal data is transferred. CC ID 00352 Behavior Preventive
    Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 Establish/Maintain Documentation Preventive
    Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 Communicate Preventive
    Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 Data and Information Management Preventive
    Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 Data and Information Management Preventive
    Prohibit the transfer of personal data when security is inadequate. CC ID 00345 Data and Information Management Preventive
    Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 Data and Information Management Preventive
    Refrain from transferring past the first transfer. CC ID 00347 Data and Information Management Preventive
    Document transfer disagreements by the data subject in writing. CC ID 00348 Establish/Maintain Documentation Preventive
    Allow the data subject the right to object to the personal data transfer. CC ID 00349 Data and Information Management Preventive
    Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 Records Management Preventive
    Follow the instructions of the data transferrer. CC ID 00334 Behavior Preventive
    Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 Establish/Maintain Documentation Preventive
    Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 Data and Information Management Preventive
    Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 Data and Information Management Preventive
    Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 Data and Information Management Preventive
    Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 Data and Information Management Preventive
    Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 Data and Information Management Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 Data and Information Management Preventive
    Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 Data and Information Management Preventive
    Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 Data and Information Management Preventive
    Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 Data and Information Management Preventive
    Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 Data and Information Management Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 Data and Information Management Preventive
    Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 Data and Information Management Preventive
    Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 Business Processes Preventive
    Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 Establish/Maintain Documentation Preventive
    Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 Data and Information Management Preventive
    Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 Data and Information Management Preventive
    Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 Data and Information Management Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 Data and Information Management Preventive
    Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 Data and Information Management Preventive
    Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 Data and Information Management Preventive
    Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 Data and Information Management Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 Data and Information Management Preventive
    Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 Communicate Preventive
    Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 Behavior Preventive
    Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 Establish/Maintain Documentation Preventive
    Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 Data and Information Management Preventive
    Obtain consent prior to downloading software to an individual's computer. CC ID 06951 Data and Information Management Preventive
    Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 Process or Activity Preventive
    Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 Process or Activity Preventive
    Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 Process or Activity Preventive
    Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 Data and Information Management Preventive
    Establish, implement, and maintain a privacy impact assessment. CC ID 13712 Establish/Maintain Documentation Preventive
    Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 Establish/Maintain Documentation Preventive
    Include how to grant consent in the privacy impact assessment. CC ID 15519 Establish/Maintain Documentation Preventive
    Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 Establish/Maintain Documentation Preventive
    Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 Establish/Maintain Documentation Preventive
    Include data handling procedures in the privacy impact assessment. CC ID 15516 Establish/Maintain Documentation Preventive
    Include the intended use of information in the privacy impact assessment. CC ID 15515 Establish/Maintain Documentation Preventive
    Include the reason information is being collected in the privacy impact assessment. CC ID 15514 Establish/Maintain Documentation Preventive
    Include the type of information to be collected in the privacy impact assessment. CC ID 15513 Business Processes Preventive
    Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 Communicate Preventive
    Review compliance with the organization's privacy objectives. CC ID 13490 Human Resources Management Detective
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Data and Information Management Preventive
    Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 Behavior Preventive
    Implement procedures to file privacy rights violation complaints. CC ID 00476 Data and Information Management Corrective
    File privacy rights violation complaints in writing. CC ID 00477 Establish/Maintain Documentation Corrective
    Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 Establish/Maintain Documentation Corrective
    Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 Establish/Maintain Documentation Preventive
    Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 Behavior Corrective
    Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 Business Processes Preventive
    File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 Behavior Corrective
    Change or destroy any personal data that is incorrect. CC ID 00462 Data and Information Management Corrective
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Behavior Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Data and Information Management Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Data and Information Management Corrective
    Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 Establish/Maintain Documentation Preventive
    Include potential remedies in the privacy dispute resolution program. CC ID 12531 Establish/Maintain Documentation Preventive
    Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 Establish/Maintain Documentation Preventive
    Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 Establish/Maintain Documentation Preventive
    Document unresolved challenges. CC ID 13568 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 Establish/Maintain Documentation Preventive
    Notify individuals of their right to challenge personal data. CC ID 00457 Data and Information Management Preventive
    Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 Data and Information Management Preventive
    Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 Configuration Preventive
    Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 Human Resources Management Preventive
    Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 Data and Information Management Preventive
    Investigate the disputed accuracy of personal data. CC ID 00461 Data and Information Management Preventive
    Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 Behavior Corrective
    Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 Behavior Corrective
    Notify third parties of unresolved challenges. CC ID 13559 Communicate Preventive
    Document disagreements as to whether personal data is complete and accurate. CC ID 06952 Establish/Maintain Documentation Preventive
    Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 Establish/Maintain Documentation Preventive
    Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 Data and Information Management Corrective
    Investigate privacy rights violation complaints. CC ID 00480 Behavior Detective
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 Business Processes Corrective
    Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 Behavior Detective
    Include the allegations against the organization in the notice of investigation. CC ID 13031 Establish/Maintain Documentation Preventive
    Investigate privacy rights violation complaints in private. CC ID 00492 Behavior Detective
    Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 Behavior Detective
    Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 Behavior Detective
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 Behavior Preventive
    Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 Behavior Preventive
    Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 Behavior Preventive
    Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 Behavior Preventive
    Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 Behavior Preventive
    Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 Communicate Corrective
    Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 Establish/Maintain Documentation Corrective
    Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 Behavior Corrective
    Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 Establish/Maintain Documentation Detective
    Order the organization to change to be in compliance with applicable law. CC ID 00499 Behavior Corrective
    Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 Behavior Corrective
    Award damages based on applicable law. CC ID 00501 Behavior Corrective
    Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 Data and Information Management Corrective
    Define the organization's liability based on the applicable law. CC ID 00504 Establish/Maintain Documentation Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Establish/Maintain Documentation Preventive
    Define the appeal process based on the applicable law. CC ID 00506 Establish/Maintain Documentation Preventive
    Define the fee structure for the appeal process. CC ID 16532 Process or Activity Preventive
    Define the time requirements for the appeal process. CC ID 16531 Process or Activity Preventive
    Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 Communicate Preventive
    Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 Communicate Preventive
    Provide notice of proposed penalties. CC ID 06216 Establish/Maintain Documentation Preventive
    Notify the public and other agencies after a penalty becomes final. CC ID 06217 Behavior Preventive
    Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 Testing Detective
  • Records management
    67
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Records management CC ID 00902 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain records management policies. CC ID 00903 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a record classification scheme. CC ID 00914 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a records authentication system. CC ID 11648
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Establish/Maintain Documentation Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Establish/Maintain Documentation Detective
    Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Establish/Maintain Documentation Preventive
    Supervise media destruction in accordance with organizational standards. CC ID 16456 Business Processes Preventive
    Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 Data and Information Management Preventive
    Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643
    [All items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. § 11.2.7 Control]
    Data and Information Management Preventive
    Degauss as a method of sanitizing electronic storage media. CC ID 00973 Records Management Preventive
    Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970
    [Media should be disposed of securely when no longer required, using formal procedures. § 8.3.2 Control]
    Testing Detective
    Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 Process or Activity Preventive
    Maintain media sanitization equipment in operational condition. CC ID 00721 Testing Detective
    Use approved media sanitization equipment for destruction. CC ID 16459 Business Processes Preventive
    Establish, implement, and maintain records management procedures. CC ID 11619 Establish/Maintain Documentation Preventive
    Protect records from loss in accordance with applicable requirements. CC ID 12007
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Records Management Preventive
    Establish, implement, and maintain document security requirements for the output of records. CC ID 11656
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain electronic storage media management procedures. CC ID 00931
    [Procedures should be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. § 8.3.1 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security label procedures. CC ID 06747
    [An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization. § 8.2.2 Control]
    Establish/Maintain Documentation Preventive
    Label restricted storage media appropriately. CC ID 00966 Data and Information Management Preventive
    Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 Records Management Detective
    Establish, implement, and maintain restricted material identification procedures. CC ID 01889 Establish/Maintain Documentation Preventive
    Conspicuously locate the restricted record's overall classification. CC ID 01890 Establish/Maintain Documentation Preventive
    Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 Establish/Maintain Documentation Preventive
    Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 Establish/Maintain Documentation Preventive
    Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 Establish/Maintain Documentation Preventive
    Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 Establish/Maintain Documentation Preventive
    Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 Data and Information Management Preventive
    Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 Technical Security Preventive
    Establish the minimum originator requirements for security labels. CC ID 06579 Establish/Maintain Documentation Preventive
    Establish the minimum intermediate system requirements for security labels. CC ID 06581 Establish/Maintain Documentation Preventive
    Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 Establish/Maintain Documentation Preventive
    Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 Establish/Maintain Documentation Preventive
    Establish and maintain access controls for all records. CC ID 00371
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Records Management Preventive
    Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 Data and Information Management Preventive
    Establish, implement, and maintain a records lifecycle management program. CC ID 00951 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information preservation policy. CC ID 16483 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain information preservation procedures. CC ID 06277 Establish/Maintain Documentation Preventive
    Implement and maintain high availability storage, as necessary. CC ID 00952 Technical Security Preventive
    Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 Records Management Preventive
    Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 Records Management Preventive
    Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 Records Management Preventive
    Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain online storage controls. CC ID 00942 Technical Security Preventive
    Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 Records Management Preventive
    Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 Testing Detective
    Provide encryption for different types of electronic storage media. CC ID 00945 Technical Security Preventive
    Implement electronic storage media integrity controls. CC ID 00946 Configuration Preventive
    Automate electronic storage media integrity check controls. CC ID 00948 Configuration Preventive
    Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 Configuration Preventive
    Provide audit trails for all pertinent records. CC ID 00372 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a removable storage media log. CC ID 12317 Log Management Preventive
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 Establish/Maintain Documentation Preventive
    Include the date and time in the removable storage media log. CC ID 12318 Establish/Maintain Documentation Preventive
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 Establish/Maintain Documentation Preventive
    Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Establish/Maintain Documentation Preventive
    Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Establish/Maintain Documentation Preventive
    Include the sender's name in the removable storage media log. CC ID 12752 Establish/Maintain Documentation Preventive
    Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Establish/Maintain Documentation Preventive
    Include the reason for transfer in the removable storage media log. CC ID 12316 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 Process or Activity Preventive
    Identify electronic storage media that require downgrading. CC ID 10620 Process or Activity Detective
    Downgrade electronic storage media, as necessary. CC ID 10621 Process or Activity Corrective
    Document all actions taken when downgrading electronic storage media. CC ID 10622 Establish/Maintain Documentation Preventive
    Test the storage media downgrade for correct performance. CC ID 10623 Testing Detective
  • System hardening through configuration management
    64
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    System hardening through configuration management CC ID 00860 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain system hardening procedures. CC ID 12001 Establish/Maintain Documentation Preventive
    Remove all unnecessary functionality. CC ID 00882 Configuration Preventive
    Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 Configuration Preventive
    Restrict and control the use of privileged utility programs. CC ID 12030
    [The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled. § 9.4.4 Control]
    Technical Security Preventive
    Establish, implement, and maintain authenticators. CC ID 15305 Technical Security Preventive
    Establish, implement, and maintain an authenticator standard. CC ID 01702 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an authenticator management system. CC ID 12031
    [The allocation of secret authentication information should be controlled through a formal management process. § 9.2.4 Control
    {interactive system} Password management systems should be interactive and should ensure quality passwords. § 9.4.3 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a repository of authenticators. CC ID 16372 Data and Information Management Preventive
    Establish, implement, and maintain authenticator procedures. CC ID 12002
    [Users should be required to follow the organization’s practices in the use of secret authentication information. § 9.3.1 Control]
    Establish/Maintain Documentation Preventive
    Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127 Technical Security Preventive
    Configure authenticators to comply with organizational standards. CC ID 06412
    [{interactive system} Password management systems should be interactive and should ensure quality passwords. § 9.4.3 Control]
    Configuration Preventive
    Configure the system to require new users to change their authenticator on first use. CC ID 05268 Configuration Preventive
    Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 Configuration Preventive
    Change the authenticator for shared accounts when the group membership changes. CC ID 14249 Business Processes Corrective
    Configure the system to prevent unencrypted authenticator use. CC ID 04457 Configuration Preventive
    Disable store passwords using reversible encryption. CC ID 01708 Configuration Preventive
    Configure the system to encrypt authenticators. CC ID 06735 Configuration Preventive
    Configure the system to mask authenticators. CC ID 02037 Configuration Preventive
    Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992 Configuration Preventive
    Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717 Establish/Maintain Documentation Preventive
    Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718 Establish/Maintain Documentation Preventive
    Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 Configuration Preventive
    Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719 Establish/Maintain Documentation Preventive
    Disable machine account password changes. CC ID 01737 Configuration Preventive
    Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720 Establish/Maintain Documentation Preventive
    Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722 Establish/Maintain Documentation Preventive
    Configure the "password reuse" setting to organizational standards. CC ID 08724 Establish/Maintain Documentation Preventive
    Configure the "Disable Remember Password" setting. CC ID 05270 Configuration Preventive
    Configure the "Minimum password age" to organizational standards. CC ID 01703 Configuration Preventive
    Configure the LILO/GRUB password. CC ID 01576 Configuration Preventive
    Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481 Configuration Preventive
    Change the default password to Apple's Keychain. CC ID 04482 Configuration Preventive
    Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483 Configuration Preventive
    Configure the Syskey Encryption Key and associated password. CC ID 05978 Configuration Preventive
    Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505 Configuration Preventive
    Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534 Configuration Preventive
    Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267 Configuration Preventive
    Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269 Configuration Preventive
    Configure the "Send LanMan compatible password" setting. CC ID 05271 Configuration Preventive
    Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993 Configuration Preventive
    Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 Configuration Preventive
    Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 Configuration Preventive
    Notify affected parties to keep authenticators confidential. CC ID 06787 Behavior Preventive
    Discourage affected parties from recording authenticators. CC ID 06788 Behavior Preventive
    Ensure the root account is the first entry in password files. CC ID 16323 Data and Information Management Detective
    Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721 Establish/Maintain Documentation Preventive
    Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723 Establish/Maintain Documentation Preventive
    Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866 Configuration Preventive
    Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185 Configuration Preventive
    Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187 Configuration Preventive
    Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296 Configuration Preventive
    Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355 Configuration Preventive
    Configure the authenticator display screen to organizational standards. CC ID 13794 Configuration Preventive
    Configure the authenticator field to disallow memorized secrets found in the memorized secret list. CC ID 13808 Configuration Preventive
    Configure the authenticator display screen to display the memorized secret as an option. CC ID 13806 Configuration Preventive
    Disseminate and communicate with the end user when a memorized secret entered into an authenticator field matches one found in the memorized secret list. CC ID 13807 Communicate Preventive
    Configure the look-up secret authenticator to dispose of memorized secrets after their use. CC ID 13817 Configuration Corrective
    Configure the memorized secret verifiers to refrain from allowing anonymous users to access memorized secret hints. CC ID 13823 Configuration Preventive
    Configure the system to allow paste functionality for the authenticator field. CC ID 13819 Configuration Preventive
    Configure the system to require successful authentication before an authenticator for a user account is changed. CC ID 13821 Configuration Preventive
    Configure Logging settings in accordance with organizational standards. CC ID 07611 Configuration Preventive
    Configure all logs to capture auditable events or actionable events. CC ID 06332 Configuration Preventive
    Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645
    [System administrator and system operator activities should be logged and the logs protected and regularly reviewed. § 12.4.3 Control]
    Log Management Detective
  • Systems design, build, and implementation
    207
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Systems design, build, and implementation CC ID 00989 IT Impact Zone IT Impact Zone
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057
    [{system development} Rules for the development of software and systems should be established and applied to developments within the organization. § 14.2.1 Control]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security controls definition document. CC ID 01080 Establish/Maintain Documentation Preventive
    Include identified risks and legal requirements in the security controls definition document. CC ID 11743 Establish/Maintain Documentation Preventive
    Include naming conventions in system design guidelines. CC ID 13656 Establish/Maintain Documentation Preventive
    Implement manual override capability into automated systems. CC ID 14921 Systems Design, Build, and Implementation Preventive
    Define and assign the system development project team roles and responsibilities. CC ID 01061 Establish Roles Preventive
    Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062 Establish Roles Preventive
    Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063 Establish Roles Preventive
    Restrict system architects from being assigned as Administrators. CC ID 01064 Testing Detective
    Restrict the development team from having access to the production environment. CC ID 01066 Testing Detective
    Redesign business activities to support the system implementation. CC ID 01067 Systems Design, Build, and Implementation Corrective
    Establish, implement, and maintain a source data collection design specification. CC ID 01070 Establish/Maintain Documentation Preventive
    Establish and maintain an input requirements definition document. CC ID 01071 Establish/Maintain Documentation Preventive
    Search for metadata during e-discovery. CC ID 01073 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain security design principles. CC ID 14718 Systems Design, Build, and Implementation Preventive
    Include reduced complexity of systems or system components in the security design principles. CC ID 14753 Systems Design, Build, and Implementation Preventive
    Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 Systems Design, Build, and Implementation Preventive
    Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 Systems Design, Build, and Implementation Preventive
    Include modularity and layering of systems or system components in the security design principles. CC ID 14750 Systems Design, Build, and Implementation Preventive
    Include secure evolvability of systems or system components in the security design principles. CC ID 14749 Systems Design, Build, and Implementation Preventive
    Include continuous protection of systems or system components in the security design principles. CC ID 14748 Establish/Maintain Documentation Preventive
    Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 Systems Design, Build, and Implementation Preventive
    Include secure system modification of systems or system components in the security design principles. CC ID 14746 Systems Design, Build, and Implementation Preventive
    Include clear abstractions of systems or system components in the security design principles. CC ID 14745 Systems Design, Build, and Implementation Preventive
    Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 Systems Design, Build, and Implementation Preventive
    Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 Systems Design, Build, and Implementation Preventive
    Include least privilege of systems or system components in the security design principles. CC ID 14742 Systems Design, Build, and Implementation Preventive
    Include minimized sharing of systems or system components in the security design principles. CC ID 14741 Systems Design, Build, and Implementation Preventive
    Include acceptable security of systems or system components in the security design principles. CC ID 14740 Systems Design, Build, and Implementation Preventive
    Include minimized security elements in systems or system components in the security design principles. CC ID 14739 Systems Design, Build, and Implementation Preventive
    Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 Systems Design, Build, and Implementation Preventive
    Include self-analysis of systems or system components in the security design principles. CC ID 14737 Systems Design, Build, and Implementation Preventive
    Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 Systems Design, Build, and Implementation Preventive
    Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 Systems Design, Build, and Implementation Preventive
    Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 Systems Design, Build, and Implementation Preventive
    Include minimization of systems or system components in the security design principles. CC ID 14733 Systems Design, Build, and Implementation Preventive
    Include secure defaults in systems or system components in the security design principles. CC ID 14732 Systems Design, Build, and Implementation Preventive
    Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 Systems Design, Build, and Implementation Preventive
    Include economic security in systems or system components in the security design principles. CC ID 14730 Systems Design, Build, and Implementation Preventive
    Include trusted components of systems or system components in the security design principles. CC ID 14729 Systems Design, Build, and Implementation Preventive
    Include procedural rigor in systems or system components in the security design principles. CC ID 14728 Systems Design, Build, and Implementation Preventive
    Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 Systems Design, Build, and Implementation Preventive
    Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 Systems Design, Build, and Implementation Preventive
    Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 Systems Design, Build, and Implementation Preventive
    Include performance security of systems or system components in the security design principles. CC ID 14724 Systems Design, Build, and Implementation Preventive
    Include human factored security in systems or system components in the security design principles. CC ID 14723 Systems Design, Build, and Implementation Preventive
    Include secure metadata management of systems or system components in the security design principles. CC ID 14722 Systems Design, Build, and Implementation Preventive
    Include predicate permission of systems or system components in the security design principles. CC ID 14721 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain a system use training plan. CC ID 01089 Establish/Maintain Documentation Preventive
    Train the affected users during system development life cycle projects. CC ID 01091 Behavior Preventive
    Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963 Establish/Maintain Documentation Preventive
    Include the physical design characteristics in the system design specification. CC ID 06927 Establish/Maintain Documentation Preventive
    Separate the design and development environment from the production environment. CC ID 06088
    [{development environment} {testing environment} Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. § 12.1.4 Control]
    Systems Design, Build, and Implementation Preventive
    Specify appropriate tools for the system development project. CC ID 06830 Establish/Maintain Documentation Preventive
    Implement security controls in development endpoints. CC ID 16389 Testing Preventive
    Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 Systems Design, Build, and Implementation Preventive
    Develop systems in accordance with the system design specifications and system design standards. CC ID 01094
    [Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts. § 14.2.5 Control]
    Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain outsourced development procedures. CC ID 01141 Establish/Maintain Documentation Preventive
    Supervise and monitor outsourced development projects. CC ID 01096
    [The organization should supervise and monitor the activity of outsourced system development. § 14.2.7 Control]
    Monitor and Evaluate Occurrences Detective
    Protect stored manufacturing components prior to assembly. CC ID 12248 Systems Design, Build, and Implementation Preventive
    Store manufacturing components in a controlled access area. CC ID 12256 Physical and Environmental Protection Preventive
    Develop new products based on best practices. CC ID 01095 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain a system design specification. CC ID 04557 Establish/Maintain Documentation Preventive
    Document the system architecture in the system design specification. CC ID 12287 Establish/Maintain Documentation Preventive
    Include hardware requirements in the system design specification. CC ID 08666 Establish/Maintain Documentation Preventive
    Include communication links in the system design specification. CC ID 08665 Establish/Maintain Documentation Preventive
    Include a description of each module and asset in the system design specification. CC ID 11734 Establish/Maintain Documentation Preventive
    Include supporting software requirements in the system design specification. CC ID 08664 Establish/Maintain Documentation Preventive
    Establish and maintain Application Programming Interface documentation. CC ID 12203 Establish/Maintain Documentation Preventive
    Include configuration options in the Application Programming Interface documentation. CC ID 12205 Establish/Maintain Documentation Preventive
    Include the logical data flows and process steps in the system design specification. CC ID 08668 Establish/Maintain Documentation Preventive
    Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 Establish/Maintain Documentation Preventive
    Include threat models in the system design specification. CC ID 06829 Systems Design, Build, and Implementation Preventive
    Include security requirements in the system design specification. CC ID 06826
    [The information security related requirements should be included in the requirements for new information systems or enhancements to existing information systems. § 14.1.1 Control]
    Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 Establish/Maintain Documentation Preventive
    Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain identification card or badge architectural designs. CC ID 06591 Process or Activity Preventive
    Define the physical requirements for identification cards or badges in the identification card or badge architectural designs. CC ID 06592 Process or Activity Preventive
    Define the mandatory items that must appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06593 Process or Activity Preventive
    Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 Systems Design, Build, and Implementation Preventive
    Define the optional items that may appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06594 Process or Activity Preventive
    Include security measures in the identification card or badge architectural designs. CC ID 15423 Systems Design, Build, and Implementation Preventive
    Include the logical credential data model for identification cards or badges in the identification card or badge architectural designs. CC ID 06595 Process or Activity Preventive
    Establish, implement, and maintain payment card architectural designs. CC ID 16132 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain coding guidelines. CC ID 08661 Establish/Maintain Documentation Preventive
    Nest elements appropriately in website content using markup languages. CC ID 15154 Configuration Preventive
    Use valid HTML or other markup languages. CC ID 15153 Configuration Preventive
    Establish, implement, and maintain human interface guidelines. CC ID 08662 Establish/Maintain Documentation Preventive
    Ensure users can navigate content. CC ID 15163 Configuration Preventive
    Create text content using language that is readable and is understandable. CC ID 15167 Configuration Preventive
    Ensure user interface components are operable. CC ID 15162 Configuration Preventive
    Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 Configuration Preventive
    Allow users to reverse submissions. CC ID 15168 Configuration Preventive
    Provide a mechanism to control audio. CC ID 15158 Configuration Preventive
    Allow modification of style properties without loss of content or functionality. CC ID 15156 Configuration Preventive
    Programmatically determine the name and role of user interface components. CC ID 15148 Configuration Preventive
    Programmatically determine the language of content. CC ID 15137 Configuration Preventive
    Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 Configuration Preventive
    Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 Configuration Preventive
    Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 Configuration Preventive
    Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 Configuration Preventive
    Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 Process or Activity Preventive
    Provide captions for live audio content. CC ID 15120 Configuration Preventive
    Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 Configuration Preventive
    Provide labels or instructions when content requires user input. CC ID 15077 Configuration Preventive
    Allow users to control auto-updating information, as necessary. CC ID 15159 Configuration Preventive
    Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 Configuration Preventive
    Display website content triggered by mouseover or keyboard focus. CC ID 15152 Configuration Preventive
    Ensure the purpose of links can be determined through the link text. CC ID 15157 Configuration Preventive
    Use a unique title that describes the topic or purpose for each web page. CC ID 15069 Configuration Preventive
    Allow the use of time limits, as necessary. CC ID 15155 Configuration Preventive
    Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 Establish/Maintain Documentation Preventive
    Refrain from activating a change of context in a user interface component. CC ID 15115 Configuration Preventive
    Include functionality for managing user data in human interface guidelines. CC ID 14928 Establish/Maintain Documentation Preventive
    Establish and maintain User Interface documentation. CC ID 12204 Establish/Maintain Documentation Preventive
    Include system messages in human interface guidelines. CC ID 08663 Establish/Maintain Documentation Preventive
    Include measurable system performance requirements in the system design specification. CC ID 08667 Establish/Maintain Documentation Preventive
    Include the data structure in the system design specification. CC ID 08669 Establish/Maintain Documentation Preventive
    Include the input and output variables in the system design specification. CC ID 08670 Establish/Maintain Documentation Preventive
    Include data encryption information in the system design specification. CC ID 12209 Establish/Maintain Documentation Preventive
    Include records disposition information in the system design specification. CC ID 12208 Establish/Maintain Documentation Preventive
    Include how data is managed in each module in the system design specification. CC ID 12207 Establish/Maintain Documentation Preventive
    Include identifying restricted data in the system design specification. CC ID 12206 Establish/Maintain Documentation Preventive
    Assign appropriate parties to approve the system design specification. CC ID 13070 Human Resources Management Preventive
    Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 Communicate Preventive
    Implement data controls when developing systems. CC ID 15302 Systems Design, Build, and Implementation Preventive
    Implement security controls when developing systems. CC ID 06270 Systems Design, Build, and Implementation Preventive
    Analyze and minimize attack surfaces when developing systems. CC ID 06828 Systems Design, Build, and Implementation Preventive
    Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 Technical Security Preventive
    Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 Technical Security Preventive
    Audit all modifications to the application being developed. CC ID 01614 Testing Detective
    Implement a hardware security module, as necessary. CC ID 12222 Systems Design, Build, and Implementation Preventive
    Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 Systems Design, Build, and Implementation Preventive
    Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 Systems Design, Build, and Implementation Preventive
    Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 Systems Design, Build, and Implementation Preventive
    Design the hardware security module to enforce the separation between applications. CC ID 12254 Systems Design, Build, and Implementation Preventive
    Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 Systems Design, Build, and Implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 Systems Design, Build, and Implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 Systems Design, Build, and Implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 Systems Design, Build, and Implementation Preventive
    Design the hardware security module to erase sensitive data when compromised. CC ID 12275 Systems Design, Build, and Implementation Preventive
    Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 Systems Design, Build, and Implementation Preventive
    Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 Systems Design, Build, and Implementation Preventive
    Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 Establish/Maintain Documentation Preventive
    Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 Systems Design, Build, and Implementation Preventive
    Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 Establish/Maintain Documentation Preventive
    Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 Establish/Maintain Documentation Preventive
    Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 Establish/Maintain Documentation Preventive
    Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 Establish/Maintain Documentation Preventive
    Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 Establish/Maintain Documentation Preventive
    Install secret information into the hardware security module during manufacturing. CC ID 12249 Systems Design, Build, and Implementation Preventive
    Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 Systems Design, Build, and Implementation Preventive
    Install secret information under dual control into the hardware security module. CC ID 12257 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain session security coding standards. CC ID 04584 Establish/Maintain Documentation Preventive
    Establish and maintain a cryptographic architecture document. CC ID 12476 Establish/Maintain Documentation Preventive
    Include the algorithms used in the cryptographic architecture document. CC ID 12483 Establish/Maintain Documentation Preventive
    Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 Establish/Maintain Documentation Preventive
    Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 Establish/Maintain Documentation Preventive
    Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 Establish/Maintain Documentation Preventive
    Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 Establish/Maintain Documentation Preventive
    Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 Establish/Maintain Documentation Preventive
    Include the protocols used in the cryptographic architecture document. CC ID 12485 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain secure update mechanisms. CC ID 14923 Systems Design, Build, and Implementation Preventive
    Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 Systems Design, Build, and Implementation Preventive
    Automate secure update mechanisms, as necessary. CC ID 14933 Systems Design, Build, and Implementation Preventive
    Follow security design requirements when developing systems. CC ID 06827 Systems Design, Build, and Implementation Preventive
    Prevent unnecessary information from being added to client-side scripting languages. CC ID 07073 Data and Information Management Preventive
    Use randomly generated session identifiers. CC ID 07074 Technical Security Preventive
    Identify multi-project interfaces and dependencies. CC ID 06902 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain a system implementation representation document. CC ID 04558 Establish/Maintain Documentation Preventive
    Include the source code in the implementation representation document. CC ID 13089 Establish/Maintain Documentation Preventive
    Include the hardware schematics in the implementation representation document. CC ID 13098 Establish/Maintain Documentation Preventive
    Design the security architecture. CC ID 06269 Systems Design, Build, and Implementation Preventive
    Limit the embedding of data types inside other data types. CC ID 06759 Technical Security Preventive
    Review and update the security architecture, as necessary. CC ID 14277 Establish/Maintain Documentation Corrective
    Design the privacy architecture. CC ID 14671 Systems Design, Build, and Implementation Preventive
    Review and update the privacy architecture, as necessary. CC ID 14674 Establish/Maintain Documentation Preventive
    Convert workflow charts and diagrams into machine readable code. CC ID 14865 Process or Activity Preventive
    Implement software development version controls. CC ID 01098 Systems Design, Build, and Implementation Preventive
    Protect system libraries. CC ID 01097 Technical Security Preventive
    Follow the system development process when upgrading a system. CC ID 01059 Systems Design, Build, and Implementation Preventive
    Protect application program libraries. CC ID 11762 Technical Security Preventive
    Conduct a design review at each milestone or quality gate. CC ID 01087 Systems Design, Build, and Implementation Detective
    Reassess the system design after the product has been tested. CC ID 01088 Testing Detective
    Include the Evaluation Assurance Levels in the system design specification. CC ID 04561 Establish/Maintain Documentation Preventive
    Approve the design methodology before moving forward on the system design project. CC ID 01060 Systems Design, Build, and Implementation Preventive
    Perform source code analysis at each milestone or quality gate. CC ID 06832 Systems Design, Build, and Implementation Corrective
    Identify and redesign unsafe functions when developing systems. CC ID 06831 Systems Design, Build, and Implementation Preventive
    Document the results of the source code analysis. CC ID 14310 Process or Activity Detective
    Monitor the development environment for when malicious code is discovered. CC ID 06396 Systems Design, Build, and Implementation Detective
    Establish and maintain system security documentation. CC ID 06271 Establish/Maintain Documentation Preventive
    Document the procedures and environment used to create the system or software. CC ID 06609
    [{system development} Rules for the development of software and systems should be established and applied to developments within the organization. § 14.2.1 Control]
    Establish/Maintain Documentation Preventive
    Transmit source code securely. CC ID 06397 Data and Information Management Preventive
    Digitally sign software components. CC ID 16490 Process or Activity Preventive
    Establish and maintain access rights to source code based upon least privilege. CC ID 06962
    [Access to program source code should be restricted. § 9.4.5 Control]
    Technical Security Preventive
    Perform Quality Management on all newly developed or modified systems. CC ID 01100 Testing Detective
    Establish, implement, and maintain a system testing policy. CC ID 01102 Establish/Maintain Documentation Preventive
    Configure the test environment similar to the production environment. CC ID 06837
    [Organizations should establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. § 14.2.6 Control]
    Configuration Preventive
    Establish, implement, and maintain system testing procedures. CC ID 11744 Establish/Maintain Documentation Preventive
    Protect test data in the development environment. CC ID 12014
    [Test data should be selected carefully, protected and controlled. § 14.3.1 Control]
    Technical Security Preventive
    Control the test data used in the development environment. CC ID 12013
    [Test data should be selected carefully, protected and controlled. § 14.3.1 Control]
    Systems Design, Build, and Implementation Preventive
    Select the test data carefully. CC ID 12011
    [Test data should be selected carefully, protected and controlled. § 14.3.1 Control]
    Systems Design, Build, and Implementation Preventive
    Test security functionality during the development process. CC ID 12015
    [Testing of security functionality should be carried out during development. § 14.2.8 Control]
    Testing Preventive
  • Technical security
    289
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain an access control program. CC ID 11702 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain access control policies. CC ID 00512
    [{business requirements} An access control policy should be established, documented and reviewed based on business and information security requirements. § 9.1.1 Control
    {business requirements} An access control policy should be established, documented and reviewed based on business and information security requirements. § 9.1.1 Control]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the access control policy. CC ID 14006 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the access control policy. CC ID 14005 Establish/Maintain Documentation Preventive
    Include management commitment in the access control policy. CC ID 14004 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the access control policy. CC ID 14003 Establish/Maintain Documentation Preventive
    Include the scope in the access control policy. CC ID 14002 Establish/Maintain Documentation Preventive
    Include the purpose in the access control policy. CC ID 14001 Establish/Maintain Documentation Preventive
    Document the business need justification for user accounts. CC ID 15490 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 Establish/Maintain Documentation Preventive
    Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an access rights management plan. CC ID 00513
    [A formal user registration and de-registration process should be implemented to enable assignment of access rights. § 9.2.1 Control]
    Establish/Maintain Documentation Preventive
    Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 Technical Security Preventive
    Inventory all user accounts. CC ID 13732 Establish/Maintain Documentation Preventive
    Identify information system users. CC ID 12081 Technical Security Detective
    Review user accounts. CC ID 00525 Technical Security Detective
    Match user accounts to authorized parties. CC ID 12126 Configuration Detective
    Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 Technical Security Detective
    Establish and maintain contact information for user accounts, as necessary. CC ID 15418 Data and Information Management Preventive
    Review shared accounts. CC ID 11840 Technical Security Detective
    Control access rights to organizational assets. CC ID 00004
    [The allocation and use of privileged access rights should be restricted and controlled. § 9.2.3 Control
    Access to information and application system functions should be restricted in accordance with the access control policy. § 9.4.1 Control]
    Technical Security Preventive
    Configure access control lists in accordance with organizational standards. CC ID 16465 Configuration Preventive
    Add all devices requiring access control to the Access Control List. CC ID 06264 Establish/Maintain Documentation Preventive
    Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 Technical Security Preventive
    Disallow application IDs from running as privileged users. CC ID 10050 Configuration Detective
    Define roles for information systems. CC ID 12454 Human Resources Management Preventive
    Define access needs for each role assigned to an information system. CC ID 12455 Human Resources Management Preventive
    Define access needs for each system component of an information system. CC ID 12456 Technical Security Preventive
    Define the level of privilege required for each system component of an information system. CC ID 12457 Technical Security Preventive
    Establish access rights based on least privilege. CC ID 01411
    [The allocation and use of privileged access rights should be restricted and controlled. § 9.2.3 Control]
    Technical Security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical Security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical Security Preventive
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767
    [Groups of information services, users and information systems should be segregated on networks. § 13.1.3 Control]
    Configuration Preventive
    Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 Technical Security Preventive
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Configuration Preventive
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Communicate Corrective
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical Security Preventive
    Establish, implement, and maintain session lock capabilities. CC ID 01417 Configuration Preventive
    Limit concurrent sessions according to account type. CC ID 01416 Configuration Preventive
    Establish session authenticity through Transport Layer Security. CC ID 01627 Technical Security Preventive
    Configure the "tlsverify" argument to organizational standards. CC ID 14460 Configuration Preventive
    Configure the "tlscacert" argument to organizational standards. CC ID 14521 Configuration Preventive
    Configure the "tlscert" argument to organizational standards. CC ID 14520 Configuration Preventive
    Configure the "tlskey" argument to organizational standards. CC ID 14519 Configuration Preventive
    Enable access control for objects and users on each system. CC ID 04553
    [Users should only be provided with access to the network and network services that they have been specifically authorized to use. § 9.1.2 Control]
    Configuration Preventive
    Include all system components in the access control system. CC ID 11939 Technical Security Preventive
    Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 Process or Activity Preventive
    Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 Technical Security Preventive
    Enable attribute-based access control for objects and users on information systems. CC ID 16351 Technical Security Preventive
    Enable role-based access control for objects and users on information systems. CC ID 12458 Technical Security Preventive
    Include the objects and users subject to access control in the security policy. CC ID 11836 Establish/Maintain Documentation Preventive
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Establish Roles Preventive
    Enforce access restrictions for change control. CC ID 01428 Technical Security Preventive
    Enforce access restrictions for restricted data. CC ID 01921 Data and Information Management Preventive
    Permit a limited set of user actions absent identification and authentication. CC ID 04849 Technical Security Preventive
    Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 Testing Detective
    Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 Technical Security Preventive
    Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 Establish/Maintain Documentation Preventive
    Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 Establish/Maintain Documentation Preventive
    Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 Technical Security Preventive
    Display previous logon information in the logon banner. CC ID 01415 Configuration Preventive
    Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 Establish/Maintain Documentation Preventive
    Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 Technical Security Preventive
    Control user privileges. CC ID 11665 Technical Security Preventive
    Review all user privileges, as necessary. CC ID 06784
    [Asset owners should review users’ access rights at regular intervals. § 9.2.5 Control]
    Technical Security Preventive
    Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 Behavior Corrective
    Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 Configuration Preventive
    Review and update accounts and access rights when notified of personnel status changes. CC ID 00788
    [The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change. § 9.2.6 Control]
    Behavior Corrective
    Change authenticators after personnel status changes. CC ID 12284 Human Resources Management Preventive
    Review each user's access capabilities when their role changes. CC ID 00524 Technical Security Preventive
    Establish and maintain a Digital Rights Management program. CC ID 07093 Establish/Maintain Documentation Preventive
    Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 Technical Security Preventive
    Establish, implement, and maintain User Access Management procedures. CC ID 00514
    [A formal user access provisioning process should be implemented to assign or revoke access rights for all user types to all systems and services. § 9.2.2 Control]
    Technical Security Preventive
    Establish, implement, and maintain an authority for access authorization list. CC ID 06782 Establish/Maintain Documentation Preventive
    Review and approve logical access to all assets based upon organizational policies. CC ID 06641 Technical Security Preventive
    Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 Technical Security Preventive
    Assign roles and responsibilities for administering user account management. CC ID 11900 Human Resources Management Preventive
    Automate access control methods, as necessary. CC ID 11838 Technical Security Preventive
    Automate Access Control Systems, as necessary. CC ID 06854 Technical Security Preventive
    Refrain from storing logon credentials for third party applications. CC ID 13690 Technical Security Preventive
    Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 Technical Security Preventive
    Notify interested personnel when user accounts are added or deleted. CC ID 14327 Communicate Detective
    Remove inactive user accounts, as necessary. CC ID 00517 Technical Security Corrective
    Remove temporary user accounts, as necessary. CC ID 11839 Technical Security Corrective
    Establish, implement, and maintain a password policy. CC ID 16346 Establish/Maintain Documentation Preventive
    Enforce the password policy. CC ID 16347 Technical Security Preventive
    Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 Establish/Maintain Documentation Preventive
    Limit superuser accounts to designated System Administrators. CC ID 06766 Configuration Preventive
    Enforce usage restrictions for superuser accounts. CC ID 07064 Technical Security Preventive
    Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 Technical Security Preventive
    Protect and manage biometric systems and biometric data. CC ID 01261 Technical Security Preventive
    Establish, implement, and maintain biometric collection procedures. CC ID 15419 Establish/Maintain Documentation Preventive
    Document the business need justification for authentication data storage. CC ID 06325 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain access control procedures. CC ID 11663
    [Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure. § 9.4.2 Control]
    Establish/Maintain Documentation Preventive
    Implement out-of-band authentication, as necessary. CC ID 10606 Technical Security Corrective
    Grant access to authorized personnel or systems. CC ID 12186 Configuration Preventive
    Document approving and granting access in the access control log. CC ID 06786 Establish/Maintain Documentation Preventive
    Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 Communicate Preventive
    Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 Establish/Maintain Documentation Preventive
    Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 Establish/Maintain Documentation Preventive
    Include the date and time that access was reviewed in the system record. CC ID 16416 Data and Information Management Preventive
    Include the date and time that access rights were changed in the system record. CC ID 16415 Establish/Maintain Documentation Preventive
    Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 Communicate Corrective
    Identify and control all network access controls. CC ID 00529 Technical Security Preventive
    Establish, implement, and maintain a network configuration standard. CC ID 00530 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a network security policy. CC ID 06440
    [Networks should be managed and controlled to protect information in systems and applications. § 13.1.1 Control]
    Establish/Maintain Documentation Preventive
    Include compliance requirements in the network security policy. CC ID 14205 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the network security policy. CC ID 14204 Establish/Maintain Documentation Preventive
    Include management commitment in the network security policy. CC ID 14203 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the network security policy. CC ID 14202 Establish/Maintain Documentation Preventive
    Include the scope in the network security policy. CC ID 14201 Establish/Maintain Documentation Preventive
    Include the purpose in the network security policy. CC ID 14200 Establish/Maintain Documentation Preventive
    Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 Communicate Preventive
    Establish, implement, and maintain system and communications protection procedures. CC ID 14052 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 Communicate Preventive
    Establish, implement, and maintain a wireless networking policy. CC ID 06732 Establish/Maintain Documentation Preventive
    Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 Establish/Maintain Documentation Preventive
    Secure the Domain Name System. CC ID 00540 Configuration Preventive
    Implement segregation of duties. CC ID 11843
    [Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. § 6.1.2 Control]
    Technical Security Preventive
    Enforce information flow control. CC ID 11781
    [{data transfer policies} {data transfer procedures} {data transfer controls} Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. § 13.2.1 Control]
    Monitor and Evaluate Occurrences Preventive
    Monitor information flows for anomalies. CC ID 16365 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain information flow control configuration standards. CC ID 01924 Establish/Maintain Documentation Preventive
    Restrict traffic or information flow based on the node type. CC ID 16396 Technical Security Preventive
    Restrict traffic or information flow based on the destination address. CC ID 16378 Technical Security Preventive
    Restrict traffic or information flow based on the origination address. CC ID 16484 Technical Security Preventive
    Assign appropriate roles for enabling or disabling information flow controls. CC ID 06760 Establish Roles Preventive
    Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 Testing Preventive
    Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 Establish/Maintain Documentation Preventive
    Monitor and report on the organization's interconnectivity risk. CC ID 13172 Monitor and Evaluate Occurrences Detective
    Configure network flow monitoring to organizational standards. CC ID 16364 Configuration Preventive
    Perform content filtering scans on network traffic. CC ID 06761 Monitor and Evaluate Occurrences Detective
    Develop and implement a content filtering word and phrase library. CC ID 07071 Establish/Maintain Documentation Preventive
    Use content filtering scans to identify information flows by data type specification. CC ID 06762 Technical Security Preventive
    Use content filtering scans to identify information flows by data type usage. CC ID 11818 Technical Security Preventive
    Take appropriate action to address information flow anomalies. CC ID 12164 Investigate Corrective
    Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163 Investigate Detective
    Prevent encrypted data from bypassing content filtering mechanisms. CC ID 06758 Technical Security Preventive
    Perform content filtering scans on incoming and outgoing e-mail. CC ID 06733 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists. CC ID 12128 Technical Security Preventive
    Establish, implement, and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information. CC ID 06734 Data and Information Management Detective
    Constrain the information flow of restricted data or restricted information. CC ID 06763 Data and Information Management Preventive
    Quarantine data that fails security tests. CC ID 16500 Data and Information Management Corrective
    Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 Data and Information Management Preventive
    Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 Data and Information Management Preventive
    Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 Data and Information Management Preventive
    Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410
    [{data transfer policies} {data transfer procedures} {data transfer controls} Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. § 13.2.1 Control]
    Establish/Maintain Documentation Preventive
    Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923 Data and Information Management Preventive
    Establish, implement, and maintain a document printing policy. CC ID 14384 Establish/Maintain Documentation Preventive
    Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain information flow procedures. CC ID 04542
    [{data transfer policies} {data transfer procedures} {data transfer controls} Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. § 13.2.1 Control]
    Establish/Maintain Documentation Preventive
    Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 Data and Information Management Preventive
    Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 Data and Information Management Preventive
    Establish, implement, and maintain information exchange procedures. CC ID 11782 Establish/Maintain Documentation Preventive
    Perform content sanitization on data-in-transit. CC ID 16512 Data and Information Management Preventive
    Perform content conversion on data-in-transit. CC ID 16510 Data and Information Management Preventive
    Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 Data and Information Management Preventive
    Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 Data and Information Management Preventive
    Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 Data and Information Management Preventive
    Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 Log Management Preventive
    Review and approve information exchange system connections. CC ID 07143 Technical Security Preventive
    Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 Technical Security Preventive
    Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107 Technical Security Preventive
    Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 Establish/Maintain Documentation Preventive
    Revoke membership in the whitelist, as necessary. CC ID 13827 Establish/Maintain Documentation Corrective
    Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 Configuration Preventive
    Block uncategorized sites using URL filtering. CC ID 12140 Technical Security Preventive
    Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139 Technical Security Detective
    Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234 Data and Information Management Preventive
    Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 Establish/Maintain Documentation Preventive
    Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094 Behavior Preventive
    Control all methods of remote access and teleworking. CC ID 00559
    [A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites. § 6.2.2 Control]
    Technical Security Preventive
    Assign virtual escorting to authorized personnel. CC ID 16440 Process or Activity Preventive
    Establish, implement, and maintain a remote access and teleworking program. CC ID 04545
    [A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites. § 6.2.2 Control]
    Establish/Maintain Documentation Preventive
    Include information security requirements in the remote access and teleworking program. CC ID 15704 Establish/Maintain Documentation Preventive
    Refrain from allowing remote users to copy files to remote devices. CC ID 06792 Technical Security Preventive
    Control remote administration in accordance with organizational standards. CC ID 04459 Configuration Preventive
    Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560 Testing Detective
    Control remote access through a network access control. CC ID 01421 Technical Security Preventive
    Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371 Configuration Preventive
    Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324 Technical Security Preventive
    Employ multifactor authentication for remote access to the organization's network. CC ID 12505 Technical Security Preventive
    Implement multifactor authentication techniques. CC ID 00561 Configuration Preventive
    Implement phishing-resistant multifactor authentication techniques. CC ID 16541 Technical Security Preventive
    Document and approve requests to bypass multifactor authentication. CC ID 15464 Establish/Maintain Documentation Preventive
    Limit the source addresses from which remote administration is performed. CC ID 16393 Technical Security Preventive
    Protect remote access accounts with encryption. CC ID 00562 Configuration Preventive
    Monitor and evaluate all remote access usage. CC ID 00563 Monitor and Evaluate Occurrences Detective
    Manage the use of encryption controls and cryptographic controls. CC ID 00570
    [Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations. § 18.1.5 Control]
    Technical Security Preventive
    Comply with the encryption laws of the local country. CC ID 16377 Business Processes Preventive
    Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 Establish/Maintain Documentation Preventive
    Define the cryptographic boundaries. CC ID 06543 Establish/Maintain Documentation Preventive
    Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 Establish/Maintain Documentation Preventive
    Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 Establish/Maintain Documentation Preventive
    Implement the documented cryptographic module security functions. CC ID 06755 Data and Information Management Preventive
    Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 Establish/Maintain Documentation Preventive
    Document the operation of the cryptographic module. CC ID 06546 Establish/Maintain Documentation Preventive
    Employ cryptographic controls that comply with applicable requirements. CC ID 12491 Technical Security Preventive
    Establish, implement, and maintain digital signatures. CC ID 13828 Data and Information Management Preventive
    Include the expiration date in digital signatures. CC ID 13833 Data and Information Management Preventive
    Include audience restrictions in digital signatures. CC ID 13834 Data and Information Management Preventive
    Include the subject in digital signatures. CC ID 13832 Data and Information Management Preventive
    Include the issuer in digital signatures. CC ID 13831 Data and Information Management Preventive
    Include identifiers in the digital signature. CC ID 13829 Data and Information Management Preventive
    Generate and protect a secret random number for each digital signature. CC ID 06577 Establish/Maintain Documentation Preventive
    Establish the security strength requirements for the digital signature process. CC ID 06578 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546
    [A policy on the use of cryptographic controls for protection of information should be developed and implemented. § 10.1.1 Control
    A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle. § 10.1.2 Control]
    Establish/Maintain Documentation Preventive
    Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 Configuration Preventive
    Encrypt in scope data or in scope information, as necessary. CC ID 04824 Data and Information Management Preventive
    Digitally sign records and data, as necessary. CC ID 16507 Data and Information Management Preventive
    Make key usage for data fields unique for each device. CC ID 04828 Technical Security Preventive
    Decrypt restricted data for the minimum time required. CC ID 12308 Data and Information Management Preventive
    Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 Data and Information Management Preventive
    Accept only trusted keys and/or certificates. CC ID 11988 Technical Security Preventive
    Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 Data and Information Management Preventive
    Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 Process or Activity Preventive
    Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 Process or Activity Preventive
    Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 Communicate Preventive
    Define the format of the biometric data on identification cards or badges. CC ID 06586 Process or Activity Preventive
    Protect salt values and hash values in accordance with organizational standards. CC ID 16471 Data and Information Management Preventive
    Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 Establish/Maintain Documentation Preventive
    Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 Communicate Preventive
    Establish, implement, and maintain encryption management procedures. CC ID 15475 Establish/Maintain Documentation Preventive
    Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 Establish Roles Preventive
    Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 Establish/Maintain Documentation Preventive
    Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 Communicate Preventive
    Bind keys to each identity. CC ID 12337 Technical Security Preventive
    Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 Establish/Maintain Documentation Preventive
    Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 Establish/Maintain Documentation Preventive
    Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 Data and Information Management Preventive
    Generate strong cryptographic keys. CC ID 01299 Data and Information Management Preventive
    Generate unique cryptographic keys for each user. CC ID 12169 Technical Security Preventive
    Use approved random number generators for creating cryptographic keys. CC ID 06574 Data and Information Management Preventive
    Implement decryption keys so that they are not linked to user accounts. CC ID 06851 Technical Security Preventive
    Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 Establish/Maintain Documentation Preventive
    Disseminate and communicate cryptographic keys securely. CC ID 01300 Data and Information Management Preventive
    Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 Data and Information Management Preventive
    Store cryptographic keys securely. CC ID 01298 Data and Information Management Preventive
    Restrict access to cryptographic keys. CC ID 01297 Data and Information Management Preventive
    Store cryptographic keys in encrypted format. CC ID 06084 Data and Information Management Preventive
    Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 Technical Security Preventive
    Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 Establish/Maintain Documentation Preventive
    Change cryptographic keys in accordance with organizational standards. CC ID 01302 Data and Information Management Preventive
    Destroy cryptographic keys promptly after the retention period. CC ID 01303 Data and Information Management Preventive
    Control cryptographic keys with split knowledge and dual control. CC ID 01304 Data and Information Management Preventive
    Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 Data and Information Management Preventive
    Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 Technical Security Preventive
    Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 Data and Information Management Corrective
    Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 Data and Information Management Corrective
    Archive outdated cryptographic keys. CC ID 06884 Data and Information Management Preventive
    Archive revoked cryptographic keys. CC ID 11819 Data and Information Management Preventive
    Require key custodians to sign the cryptographic key management policy. CC ID 01308 Establish/Maintain Documentation Preventive
    Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 Human Resources Management Preventive
    Test cryptographic key management applications, as necessary. CC ID 04829 Testing Detective
    Manage the digital signature cryptographic key pair. CC ID 06576 Data and Information Management Preventive
    Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 Establish/Maintain Documentation Preventive
    Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 Establish Roles Preventive
    Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 Establish/Maintain Documentation Preventive
    Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 Establish/Maintain Documentation Preventive
    Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 Establish/Maintain Documentation Preventive
    Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 Establish/Maintain Documentation Preventive
    Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 Establish/Maintain Documentation Preventive
    Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 Technical Security Preventive
    Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 Technical Security Preventive
    Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 Establish/Maintain Documentation Preventive
    Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 Establish/Maintain Documentation Preventive
    Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 Establish/Maintain Documentation Preventive
    Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 Establish/Maintain Documentation Preventive
    Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 Technical Security Preventive
    Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 Records Management Preventive
    Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 Technical Security Preventive
    Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 Technical Security Preventive
    Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 Technical Security Preventive
    Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 Configuration Preventive
    Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 Technical Security Preventive
    Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 Technical Security Preventive
    Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 Establish/Maintain Documentation Preventive
    Implement non-repudiation for transactions. CC ID 00567 Testing Detective
    Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 Technical Security Preventive
    Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 Technical Security Preventive
    Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021
    [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]
    Technical Security Preventive
    Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020
    [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]
    Technical Security Preventive
    Protect application services information transmitted over a public network from contract disputes. CC ID 12019
    [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]
    Technical Security Preventive
    Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018
    [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]
    Technical Security Preventive
    Establish, implement, and maintain a malicious code protection program. CC ID 00574 Establish/Maintain Documentation Preventive
    Install security and protection software, as necessary. CC ID 00575
    [{detection controls} {prevention controls} Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness. § 12.2.1 Control
    {detection controls} {prevention controls} Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness. § 12.2.1 Control
    {detection controls} {prevention controls} Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness. § 12.2.1 Control]
    Configuration Preventive
    Install and maintain container security solutions. CC ID 16178 Technical Security Preventive
  • Third Party and supply chain oversight
    87
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a supply chain management program. CC ID 11742 Establish/Maintain Documentation Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794
    [All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information. § 15.1.2 Control]
    Process or Activity Detective
    Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 Establish/Maintain Documentation Preventive
    Include a description of the product or service to be provided in third party contracts. CC ID 06509 Establish/Maintain Documentation Preventive
    Include a description of the products or services fees in third party contracts. CC ID 10018 Establish/Maintain Documentation Preventive
    Include which parties are responsible for which fees in third party contracts. CC ID 10019 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543
    [{information flow agreement} {establish} Agreements should address the secure transfer of business information between the organization and external parties. § 13.2.2 Control]
    Establish/Maintain Documentation Preventive
    Include the type of information being transmitted in the information flow agreement. CC ID 14245 Establish/Maintain Documentation Preventive
    Include the security requirements in the information flow agreement. CC ID 14244 Establish/Maintain Documentation Preventive
    Include the interface characteristics in the information flow agreement. CC ID 14240 Establish/Maintain Documentation Preventive
    Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 Establish/Maintain Documentation Preventive
    Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 Establish/Maintain Documentation Preventive
    Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 Establish/Maintain Documentation Preventive
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Establish/Maintain Documentation Preventive
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information. § 15.1.2 Control]
    Business Processes Preventive
    Include text about data ownership in third party contracts. CC ID 06502 Establish/Maintain Documentation Preventive
    Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 Establish/Maintain Documentation Preventive
    Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 Establish/Maintain Documentation Preventive
    Include the contract duration in third party contracts. CC ID 16221 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in third party contracts. CC ID 13487 Establish/Maintain Documentation Preventive
    Include cryptographic keys in third party contracts. CC ID 16179 Establish/Maintain Documentation Preventive
    Include bankruptcy provisions in third party contracts. CC ID 16519 Establish/Maintain Documentation Preventive
    Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 Establish/Maintain Documentation Preventive
    Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506
    [Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented. § 15.1.1 Control]
    Establish/Maintain Documentation Preventive
    Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 Establish/Maintain Documentation Preventive
    Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 Establish/Maintain Documentation Preventive
    Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 Establish/Maintain Documentation Preventive
    Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 Establish/Maintain Documentation Preventive
    Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 Establish/Maintain Documentation Preventive
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 Establish/Maintain Documentation Preventive
    Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 Establish/Maintain Documentation Preventive
    Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 Establish/Maintain Documentation Preventive
    Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 Establish/Maintain Documentation Preventive
    Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 Establish/Maintain Documentation Preventive
    Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 Establish/Maintain Documentation Preventive
    Include a reporting structure in third party contracts. CC ID 06532 Establish/Maintain Documentation Preventive
    Include points of contact in third party contracts. CC ID 12355 Establish/Maintain Documentation Preventive
    Include financial reporting in third party contracts, as necessary. CC ID 13573 Establish/Maintain Documentation Preventive
    Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 Establish/Maintain Documentation Preventive
    Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 Establish/Maintain Documentation Preventive
    Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 Establish/Maintain Documentation Preventive
    Include training requirements in third party contracts. CC ID 16367 Acquisition/Sale of Assets or Services Preventive
    Include an indemnification and liability clause in third party contracts. CC ID 06517 Establish/Maintain Documentation Preventive
    Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 Establish/Maintain Documentation Preventive
    Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 Establish/Maintain Documentation Preventive
    Include text regarding foreign-based third parties in third party contracts. CC ID 06722 Establish/Maintain Documentation Preventive
    Include change control clauses in third party contracts, as necessary. CC ID 06523
    [Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. § 15.2.2 Control]
    Establish/Maintain Documentation Preventive
    Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 Establish/Maintain Documentation Preventive
    Include triggers for renegotiating the contract in third party contracts. CC ID 06527 Establish/Maintain Documentation Preventive
    Include change control notification processes in third party contracts. CC ID 06524 Establish/Maintain Documentation Preventive
    Include cost structure changes in third party contracts. CC ID 10021 Establish/Maintain Documentation Preventive
    Include a choice of venue clause in third party contracts. CC ID 06520 Establish/Maintain Documentation Preventive
    Include a dispute resolution clause in third party contracts. CC ID 06519 Establish/Maintain Documentation Preventive
    Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 Establish/Maintain Documentation Preventive
    Include a termination provision clause in third party contracts. CC ID 01367 Establish/Maintain Documentation Detective
    Include early termination contingency plans in the third party contracts. CC ID 06526 Establish/Maintain Documentation Preventive
    Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 Establish/Maintain Documentation Preventive
    Include termination costs in third party contracts. CC ID 10023 Establish/Maintain Documentation Preventive
    Include text about obtaining adequate insurance in third party contracts. CC ID 06880 Establish/Maintain Documentation Preventive
    Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 Establish/Maintain Documentation Preventive
    Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 Establish/Maintain Documentation Preventive
    Include end-of-life information in third party contracts. CC ID 15265 Establish/Maintain Documentation Preventive
    Include third party requirements for personnel security in third party contracts. CC ID 00790 Testing Detective
    Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 Establish/Maintain Documentation Preventive
    Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 Testing Detective
    Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 Testing Detective
    Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 Establish/Maintain Documentation Preventive
    Establish the third party's service continuity. CC ID 00797 Testing Detective
    Determine the adequacy of a third party's alternate site preparations. CC ID 06879 Testing Detective
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 Data and Information Management Detective
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 Testing Detective
    Include disclosure requirements in third party contracts. CC ID 08825 Business Processes Preventive
    Include requirements for alternate processing facilities in third party contracts. CC ID 13059 Establish/Maintain Documentation Preventive
    Include risk management procedures in the supply chain management policy. CC ID 08811 Establish/Maintain Documentation Preventive
    Perform risk assessments of third parties, as necessary. CC ID 06454 Testing Detective
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029
    [Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented. § 15.1.1 Control
    Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. § 15.1.3 Control]
    Establish/Maintain Documentation Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Business Processes Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134 Process or Activity Detective
    Request attestation of compliance from third parties. CC ID 12067 Establish/Maintain Documentation Detective
    Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819
    [Organizations should regularly monitor, review and audit supplier service delivery. § 15.2.1 Control]
    Business Processes Preventive
    Assess the effectiveness of third party services provided to the organization. CC ID 13142 Business Processes Detective
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [Organizations should regularly monitor, review and audit supplier service delivery. § 15.2.1 Control]
    Monitor and Evaluate Occurrences Detective
    Monitor third parties' financial conditions. CC ID 13170 Monitor and Evaluate Occurrences Detective
    Review the supply chain's service delivery on a regular basis. CC ID 12010
    [Organizations should regularly monitor, review and audit supplier service delivery. § 15.2.1 Control]
    Business Processes Preventive
Common Controls and
mandates by Type
160 Mandated Controls - bold    
127 Implied Controls - italic     2508 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
2795 Total
  • Acquisition/Sale of Assets or Services
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Operational and Systems Continuity Preventive
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Operational management Preventive
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Operational management Preventive
    Acquire products or services. CC ID 11450 Acquisition or sale of facilities, technology, and services Preventive
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Privacy protection for information and data Preventive
    Include training requirements in third party contracts. CC ID 16367 Third Party and supply chain oversight Preventive
  • Actionable Reports or Measurements
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Monitor and evaluate system telemetry data. CC ID 14929 Monitoring and measurement Detective
    Measure policy compliance when reviewing the internal control framework. CC ID 06442
    [{security standards} Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. § 18.2.2 Control
    {security standards} Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. § 18.2.2 Control]
    Operational management Corrective
  • Audits and Risk Management
    12
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Address operational anomalies within the incident management system. CC ID 11633 Monitoring and measurement Preventive
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Monitoring and measurement Preventive
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 Monitoring and measurement Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and risk management Preventive
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and risk management Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Preventive
    Include the date of the audit in the representation letter. CC ID 16517 Audits and risk management Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and risk management Preventive
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701 Audits and risk management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and risk management Preventive
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467
    [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]
    Audits and risk management Detective
  • Behavior
    88
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 Monitoring and measurement Preventive
    Do not intercept communications of any kind when providing a service to clients. CC ID 09985 Monitoring and measurement Preventive
    Establish, implement, and maintain a testing program. CC ID 00654 Monitoring and measurement Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes. § 12.7.1 Control]
    Audits and risk management Preventive
    Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 Technical security Corrective
    Review and update accounts and access rights when notified of personnel status changes. CC ID 00788
    [The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change. § 9.2.6 Control]
    Technical security Corrective
    Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094 Technical security Preventive
    Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 Physical and environmental protection Preventive
    Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 Physical and environmental protection Preventive
    Manage constituent identification inside the facility. CC ID 02215 Physical and environmental protection Preventive
    Issue visitor identification badges to all non-employees. CC ID 00543 Physical and environmental protection Preventive
    Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 Physical and environmental protection Preventive
    Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 Physical and environmental protection Preventive
    Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 Physical and environmental protection Preventive
    Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 Physical and environmental protection Preventive
    Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 Physical and environmental protection Preventive
    Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 Physical and environmental protection Preventive
    Require the return of all assets upon notification an individual is terminated. CC ID 06679
    [{require} All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract or agreement. § 8.1.4 Control]
    Physical and environmental protection Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Operational and Systems Continuity Preventive
    Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 Human Resources management Preventive
    Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 Human Resources management Preventive
    Train all personnel and third parties, as necessary. CC ID 00785
    [{security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control
    {security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control]
    Human Resources management Preventive
    Retrain all personnel, as necessary. CC ID 01362
    [{security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control
    {security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control]
    Human Resources management Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Human Resources management Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674 Human Resources management Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Human Resources management Preventive
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Human Resources management Preventive
    Conduct Archives and Records Management training. CC ID 00975 Human Resources management Preventive
    Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 Human Resources management Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211
    [Employees and contractors using the organization’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services. § 16.1.3 Control]
    Human Resources management Preventive
    Conduct secure coding and development training for developers. CC ID 06822 Human Resources management Corrective
    Conduct crime prevention training. CC ID 06350 Human Resources management Preventive
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [{implement} There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. § 7.2.3 Control]
    Human Resources management Corrective
    Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 Operational management Preventive
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Operational management Preventive
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Operational management Preventive
    Perform periodic maintenance according to organizational standards. CC ID 01435 Operational management Preventive
    Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213
    [Appropriate contacts with relevant authorities should be maintained. § 6.1.3 Control]
    Operational management Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Operational management Preventive
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Operational management Preventive
    Notify affected parties to keep authenticators confidential. CC ID 06787 System hardening through configuration management Preventive
    Discourage affected parties from recording authenticators. CC ID 06788 System hardening through configuration management Preventive
    Train the affected users during system development life cycle projects. CC ID 01091 Systems design, build, and implementation Preventive
    Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 Privacy protection for information and data Preventive
    Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 Privacy protection for information and data Preventive
    Notify the supervisory authority. CC ID 00472 Privacy protection for information and data Preventive
    Notify the data subject of the collection purpose. CC ID 00095 Privacy protection for information and data Preventive
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Privacy protection for information and data Preventive
    Notify the data subject of changes to personal data use. CC ID 00105 Privacy protection for information and data Preventive
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Privacy protection for information and data Preventive
    Respond to data access requests in a timely manner. CC ID 00421 Privacy protection for information and data Preventive
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 Privacy protection for information and data Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Detective
    Notify the data subject after personal data is used or disclosed. CC ID 06247 Privacy protection for information and data Preventive
    Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 Privacy protection for information and data Preventive
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Privacy protection for information and data Preventive
    Notify the data subject of the source of collected personal data. CC ID 00083 Privacy protection for information and data Preventive
    Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 Privacy protection for information and data Preventive
    Use simple understandable language to collect information from children. CC ID 00039 Privacy protection for information and data Preventive
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Privacy protection for information and data Detective
    Notify data subjects when their personal data is transferred. CC ID 00352 Privacy protection for information and data Preventive
    Follow the instructions of the data transferrer. CC ID 00334 Privacy protection for information and data Preventive
    Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 Privacy protection for information and data Preventive
    Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 Privacy protection for information and data Preventive
    Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 Privacy protection for information and data Corrective
    File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 Privacy protection for information and data Corrective
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Privacy protection for information and data Corrective
    Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 Privacy protection for information and data Corrective
    Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 Privacy protection for information and data Corrective
    Investigate privacy rights violation complaints. CC ID 00480 Privacy protection for information and data Detective
    Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 Privacy protection for information and data Detective
    Investigate privacy rights violation complaints in private. CC ID 00492 Privacy protection for information and data Detective
    Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 Privacy protection for information and data Detective
    Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 Privacy protection for information and data Detective
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 Privacy protection for information and data Preventive
    Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 Privacy protection for information and data Preventive
    Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 Privacy protection for information and data Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 Privacy protection for information and data Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 Privacy protection for information and data Preventive
    Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 Privacy protection for information and data Preventive
    Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 Privacy protection for information and data Preventive
    Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 Privacy protection for information and data Preventive
    Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 Privacy protection for information and data Preventive
    Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 Privacy protection for information and data Corrective
    Order the organization to change to be in compliance with applicable law. CC ID 00499 Privacy protection for information and data Corrective
    Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 Privacy protection for information and data Corrective
    Award damages based on applicable law. CC ID 00501 Privacy protection for information and data Corrective
    Notify the public and other agencies after a penalty becomes final. CC ID 06217 Privacy protection for information and data Preventive
  • Business Processes
    84
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Review the organization's approach to managing information security, as necessary. CC ID 12005
    [The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur. § 18.2.1 Control]
    Leadership and high level objectives Preventive
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688
    [Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. § 8.1.1 Control
    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control
    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control]
    Leadership and high level objectives Preventive
    Comply with the encryption laws of the local country. CC ID 16377 Technical security Preventive
    Include an appeal process in the identification issuance procedures. CC ID 15428 Physical and environmental protection Preventive
    Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 Physical and environmental protection Preventive
    Transport restricted media using a delivery method that can be tracked. CC ID 11777 Physical and environmental protection Preventive
    Require users to refrain from leaving mobile devices unattended. CC ID 16446 Physical and environmental protection Preventive
    Establish, implement, and maintain an education methodology. CC ID 06671 Human Resources management Preventive
    Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617
    [The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. § 12.1.3 Control]
    Operational management Preventive
    Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 Operational management Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Preventive
    Establish, implement, and maintain information security procedures. CC ID 12006 Operational management Preventive
    Establish, implement, and maintain information sharing agreements. CC ID 15645 Operational management Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Operational management Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004
    [{information security standard} Information systems should be regularly reviewed for compliance with the organization’s information security policies and standards. § 18.2.3 Control]
    Operational management Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630
    [Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organization. § 8.2.3 Control]
    Operational management Preventive
    Include coordination amongst entities in the asset management policy. CC ID 16424 Operational management Preventive
    Define and prioritize the importance of each asset in the asset management program. CC ID 16837 Operational management Preventive
    Establish, implement, and maintain administrative controls over all assets. CC ID 16400 Operational management Preventive
    Classify virtual systems by type and purpose. CC ID 16332 Operational management Preventive
    Establish, implement, and maintain an asset inventory. CC ID 06631 Operational management Preventive
    Destroy systems in accordance with the system disposal program. CC ID 16457 Operational management Preventive
    Approve the release of systems and waste material into the public domain. CC ID 16461 Operational management Preventive
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Operational management Preventive
    Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 Operational management Preventive
    Dispose of hardware and software at their life cycle end. CC ID 06278 Operational management Preventive
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Operational management Preventive
    Remove asset tags prior to disposal of an asset. CC ID 12198 Operational management Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853 Operational management Preventive
    Establish, implement, and maintain rate limiting filters. CC ID 06883 Operational management Preventive
    Manage change requests. CC ID 00887
    [Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. § 14.2.4 Control]
    Operational management Preventive
    Examine all changes to ensure they correspond with the change request. CC ID 12345
    [Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. § 14.2.4 Control]
    Operational management Detective
    Implement changes according to the change control program. CC ID 11776 Operational management Preventive
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Operational management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244 Operational management Corrective
    Change the authenticator for shared accounts when the group membership changes. CC ID 14249 System hardening through configuration management Corrective
    Supervise media destruction in accordance with organizational standards. CC ID 16456 Records management Preventive
    Use approved media sanitization equipment for destruction. CC ID 16459 Records management Preventive
    Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain an electronic commerce program. CC ID 08617 Acquisition or sale of facilities, technology, and services Preventive
    Protect the integrity of application service transactions. CC ID 12017
    [Information involved in application service transactions should be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. § 14.1.3 Control]
    Acquisition or sale of facilities, technology, and services Preventive
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 Privacy protection for information and data Preventive
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Privacy protection for information and data Preventive
    Approve the privacy plan. CC ID 14700 Privacy protection for information and data Preventive
    Protect private communications in keeping with compliance requirements. CC ID 14334 Privacy protection for information and data Preventive
    Refrain from charging a fee to implement an opt-out request. CC ID 13877 Privacy protection for information and data Preventive
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 Privacy protection for information and data Preventive
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Privacy protection for information and data Preventive
    Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 Privacy protection for information and data Preventive
    Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 Privacy protection for information and data Preventive
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 Privacy protection for information and data Preventive
    Allow consent requests to be provided in any official languages. CC ID 16530 Privacy protection for information and data Preventive
    Define the requirements for approving or denying approval applications. CC ID 16780 Privacy protection for information and data Preventive
    Extend the time limit for approving or denying approval applications. CC ID 16779 Privacy protection for information and data Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Preventive
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Privacy protection for information and data Preventive
    Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Privacy protection for information and data Preventive
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Privacy protection for information and data Preventive
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Privacy protection for information and data Preventive
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Privacy protection for information and data Preventive
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Privacy protection for information and data Preventive
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Privacy protection for information and data Preventive
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Privacy protection for information and data Preventive
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010 Privacy protection for information and data Preventive
    Dispose of personal data removal requests, as necessary. CC ID 13512 Privacy protection for information and data Preventive
    Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 Privacy protection for information and data Detective
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Privacy protection for information and data Preventive
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Privacy protection for information and data Preventive
    Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 Privacy protection for information and data Preventive
    Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 Privacy protection for information and data Preventive
    Include the type of information to be collected in the privacy impact assessment. CC ID 15513 Privacy protection for information and data Preventive
    Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 Privacy protection for information and data Preventive
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 Privacy protection for information and data Corrective
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information. § 15.1.2 Control]
    Third Party and supply chain oversight Preventive
    Include disclosure requirements in third party contracts. CC ID 08825 Third Party and supply chain oversight Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Third Party and supply chain oversight Preventive
    Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819
    [Organizations should regularly monitor, review and audit supplier service delivery. § 15.2.1 Control]
    Third Party and supply chain oversight Preventive
    Assess the effectiveness of third party services provided to the organization. CC ID 13142 Third Party and supply chain oversight Detective
    Review the supply chain's service delivery on a regular basis. CC ID 12010
    [Organizations should regularly monitor, review and audit supplier service delivery. § 15.2.1 Control]
    Third Party and supply chain oversight Preventive
  • Communicate
    109
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Leadership and high level objectives Preventive
    Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 Monitoring and measurement Preventive
    Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 Monitoring and measurement Preventive
    Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 Monitoring and measurement Preventive
    Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 Monitoring and measurement Preventive
    Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 Monitoring and measurement Preventive
    Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 Monitoring and measurement Detective
    Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 Monitoring and measurement Detective
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Audits and risk management Preventive
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Technical security Corrective
    Notify interested personnel when user accounts are added or deleted. CC ID 14327 Technical security Detective
    Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 Technical security Preventive
    Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 Technical security Corrective
    Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 Technical security Preventive
    Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 Technical security Preventive
    Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 Technical security Preventive
    Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 Technical security Preventive
    Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 Technical security Preventive
    Post floor plans of critical facilities in secure locations. CC ID 16138 Physical and environmental protection Preventive
    Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 Physical and environmental protection Preventive
    Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 Physical and environmental protection Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Operational and Systems Continuity Corrective
    Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 Operational and Systems Continuity Preventive
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Operational and Systems Continuity Preventive
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Operational and Systems Continuity Preventive
    Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 Operational and Systems Continuity Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Operational and Systems Continuity Preventive
    Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630
    [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. § 7.3.1 Control]
    Human Resources management Preventive
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Human Resources management Preventive
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 Human Resources management Preventive
    Share security information with interested personnel and affected parties. CC ID 11732
    [Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained. § 6.1.4 Control]
    Operational management Preventive
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Operational management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739
    [A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control]
    Operational management Preventive
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026
    [Operating procedures should be documented and made available to all users who need them. § 12.1.1 Control]
    Operational management Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Operational management Preventive
    Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 Operational management Preventive
    Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 Operational management Preventive
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Operational management Preventive
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Operational management Preventive
    Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 Operational management Preventive
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Operational management Corrective
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Operational management Preventive
    Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 Operational management Preventive
    Disseminate and communicate with the end user when a memorized secret entered into an authenticator field matches one found in the memorized secret list. CC ID 13807 System hardening through configuration management Preventive
    Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 Systems design, build, and implementation Preventive
    Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 Privacy protection for information and data Preventive
    Deliver privacy notices to data subjects, as necessary. CC ID 13444 Privacy protection for information and data Preventive
    Update privacy notices, as necessary. CC ID 13474 Privacy protection for information and data Preventive
    Redeliver privacy notices, as necessary. CC ID 14850 Privacy protection for information and data Preventive
    Deliver privacy notices to third parties, as necessary. CC ID 13473 Privacy protection for information and data Preventive
    Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 Privacy protection for information and data Preventive
    Deliver opt-out notices, as necessary. CC ID 13449 Privacy protection for information and data Preventive
    Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 Privacy protection for information and data Preventive
    Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 Privacy protection for information and data Preventive
    Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 Privacy protection for information and data Preventive
    Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 Privacy protection for information and data Preventive
    Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 Privacy protection for information and data Preventive
    Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 Privacy protection for information and data Preventive
    Notify data subjects about their privacy rights. CC ID 12989 Privacy protection for information and data Preventive
    Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 Privacy protection for information and data Preventive
    Provide public proof the organization participates in a privacy program. CC ID 12349 Privacy protection for information and data Preventive
    Disclose statements added to education records, as necessary. CC ID 12990 Privacy protection for information and data Preventive
    Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 Privacy protection for information and data Preventive
    Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 Privacy protection for information and data Preventive
    Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 Privacy protection for information and data Preventive
    Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 Privacy protection for information and data Preventive
    Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 Privacy protection for information and data Preventive
    Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 Privacy protection for information and data Preventive
    Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 Privacy protection for information and data Preventive
    Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 Privacy protection for information and data Preventive
    Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 Privacy protection for information and data Preventive
    Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 Privacy protection for information and data Preventive
    Disseminate private communications when required by law. CC ID 14335 Privacy protection for information and data Corrective
    Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 Privacy protection for information and data Preventive
    Submit approval applications to the supervisory authority. CC ID 16627 Privacy protection for information and data Preventive
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Privacy protection for information and data Preventive
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 Privacy protection for information and data Corrective
    Notify the data controller of any changes in data processors. CC ID 12648 Privacy protection for information and data Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Preventive
    Disclose de-identified data, as necessary. CC ID 13034 Privacy protection for information and data Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Privacy protection for information and data Corrective
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Privacy protection for information and data Corrective
    Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 Privacy protection for information and data Corrective
    Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 Privacy protection for information and data Corrective
    Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 Privacy protection for information and data Preventive
    Capture personal data removal requests. CC ID 13507 Privacy protection for information and data Preventive
    Notify the data subject of the disclosure purpose. CC ID 15268 Privacy protection for information and data Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Privacy protection for information and data Preventive
    Notify that data subject of any exclusions to requested personal data. CC ID 15271 Privacy protection for information and data Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 Privacy protection for information and data Preventive
    Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 Privacy protection for information and data Preventive
    Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 Privacy protection for information and data Preventive
    Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 Privacy protection for information and data Preventive
    Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 Privacy protection for information and data Preventive
    Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 Privacy protection for information and data Preventive
    Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 Privacy protection for information and data Preventive
    Notify third parties of unresolved challenges. CC ID 13559 Privacy protection for information and data Preventive
    Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 Privacy protection for information and data Corrective
    Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 Privacy protection for information and data Preventive
    Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 Privacy protection for information and data Preventive
  • Configuration
    139
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Protect continuous security management systems from unauthorized use. CC ID 13097 Monitoring and measurement Preventive
    Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 Monitoring and measurement Preventive
    Document the event information to be logged in the event information log specification. CC ID 00639 Monitoring and measurement Preventive
    Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 Monitoring and measurement Preventive
    Enable and configure logging on all network access controls. CC ID 01963 Monitoring and measurement Preventive
    Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340
    [The clocks of all relevant information processing systems within an organization or security domain should be synchronised to a single reference time source. § 12.4.4 Control]
    Monitoring and measurement Preventive
    Centralize network time servers to as few as practical. CC ID 06308 Monitoring and measurement Preventive
    Match user accounts to authorized parties. CC ID 12126 Technical security Detective
    Configure access control lists in accordance with organizational standards. CC ID 16465 Technical security Preventive
    Disallow application IDs from running as privileged users. CC ID 10050 Technical security Detective
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767
    [Groups of information services, users and information systems should be segregated on networks. § 13.1.3 Control]
    Technical security Preventive
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Technical security Preventive
    Establish, implement, and maintain session lock capabilities. CC ID 01417 Technical security Preventive
    Limit concurrent sessions according to account type. CC ID 01416 Technical security Preventive
    Configure the "tlsverify" argument to organizational standards. CC ID 14460 Technical security Preventive
    Configure the "tlscacert" argument to organizational standards. CC ID 14521 Technical security Preventive
    Configure the "tlscert" argument to organizational standards. CC ID 14520 Technical security Preventive
    Configure the "tlskey" argument to organizational standards. CC ID 14519 Technical security Preventive
    Enable access control for objects and users on each system. CC ID 04553
    [Users should only be provided with access to the network and network services that they have been specifically authorized to use. § 9.1.2 Control]
    Technical security Preventive
    Display previous logon information in the logon banner. CC ID 01415 Technical security Preventive
    Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 Technical security Preventive
    Limit superuser accounts to designated System Administrators. CC ID 06766 Technical security Preventive
    Grant access to authorized personnel or systems. CC ID 12186 Technical security Preventive
    Secure the Domain Name System. CC ID 00540 Technical security Preventive
    Configure network flow monitoring to organizational standards. CC ID 16364 Technical security Preventive
    Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 Technical security Preventive
    Control remote administration in accordance with organizational standards. CC ID 04459 Technical security Preventive
    Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371 Technical security Preventive
    Implement multifactor authentication techniques. CC ID 00561 Technical security Preventive
    Protect remote access accounts with encryption. CC ID 00562 Technical security Preventive
    Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 Technical security Preventive
    Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 Technical security Preventive
    Install security and protection software, as necessary. CC ID 00575
    [{detection controls} {prevention controls} Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness. § 12.2.1 Control
    {detection controls} {prevention controls} Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness. § 12.2.1 Control
    {detection controls} {prevention controls} Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness. § 12.2.1 Control]
    Technical security Preventive
    Install doors so that exposed hinges are on the secured side. CC ID 06687 Physical and environmental protection Preventive
    Install emergency doors to permit egress only. CC ID 06688 Physical and environmental protection Preventive
    Install contact alarms on doors, as necessary. CC ID 06710 Physical and environmental protection Preventive
    Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 Physical and environmental protection Preventive
    Install contact alarms on openable windows, as necessary. CC ID 06690 Physical and environmental protection Preventive
    Install glass break alarms on windows, as necessary. CC ID 06691 Physical and environmental protection Preventive
    Configure video cameras to cover all physical entry points. CC ID 06302 Physical and environmental protection Preventive
    Configure video cameras to prevent physical tampering or disablement. CC ID 06303 Physical and environmental protection Preventive
    Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 Physical and environmental protection Preventive
    Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708 Physical and environmental protection Preventive
    Establish, implement, and maintain a battery room, as necessary. CC ID 06706 Physical and environmental protection Preventive
    Establish and maintain a generator room, as necessary. CC ID 06704 Physical and environmental protection Preventive
    Install and maintain fire protection equipment. CC ID 00728 Physical and environmental protection Preventive
    Install and maintain fire suppression systems. CC ID 00729 Physical and environmental protection Preventive
    Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 Physical and environmental protection Preventive
    Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 Physical and environmental protection Preventive
    Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 Physical and environmental protection Preventive
    Install and maintain a moisture control system as a part of the climate control system. CC ID 06694 Physical and environmental protection Preventive
    Install and maintain hydrogen sensors, as necessary. CC ID 06705 Physical and environmental protection Preventive
    Protect physical assets from water damage. CC ID 00730 Physical and environmental protection Preventive
    Establish, implement, and maintain redundant systems. CC ID 16354 Operational and Systems Continuity Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Operational and Systems Continuity Preventive
    Install a generator sized to support the facility. CC ID 06709 Operational and Systems Continuity Preventive
    Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 Operational and Systems Continuity Preventive
    Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 Operational management Preventive
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Operational management Preventive
    Deploy software patches in accordance with organizational standards. CC ID 07032 Operational management Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Operational management Corrective
    Remove outdated software after software has been updated. CC ID 11792 Operational management Corrective
    Update computer firmware, as necessary. CC ID 11755 Operational management Corrective
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Operational management Corrective
    Establish, implement, and maintain a configuration change log. CC ID 08710 Operational management Detective
    Remove all unnecessary functionality. CC ID 00882 System hardening through configuration management Preventive
    Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 System hardening through configuration management Preventive
    Configure authenticators to comply with organizational standards. CC ID 06412
    [{interactive system} Password management systems should be interactive and should ensure quality passwords. § 9.4.3 Control]
    System hardening through configuration management Preventive
    Configure the system to require new users to change their authenticator on first use. CC ID 05268 System hardening through configuration management Preventive
    Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 System hardening through configuration management Preventive
    Configure the system to prevent unencrypted authenticator use. CC ID 04457 System hardening through configuration management Preventive
    Disable store passwords using reversible encryption. CC ID 01708 System hardening through configuration management Preventive
    Configure the system to encrypt authenticators. CC ID 06735 System hardening through configuration management Preventive
    Configure the system to mask authenticators. CC ID 02037 System hardening through configuration management Preventive
    Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992 System hardening through configuration management Preventive
    Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 System hardening through configuration management Preventive
    Disable machine account password changes. CC ID 01737 System hardening through configuration management Preventive
    Configure the "Disable Remember Password" setting. CC ID 05270 System hardening through configuration management Preventive
    Configure the "Minimum password age" to organizational standards. CC ID 01703 System hardening through configuration management Preventive
    Configure the LILO/GRUB password. CC ID 01576 System hardening through configuration management Preventive
    Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481 System hardening through configuration management Preventive
    Change the default password to Apple's Keychain. CC ID 04482 System hardening through configuration management Preventive
    Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483 System hardening through configuration management Preventive
    Configure the Syskey Encryption Key and associated password. CC ID 05978 System hardening through configuration management Preventive
    Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505 System hardening through configuration management Preventive
    Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534 System hardening through configuration management Preventive
    Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267 System hardening through configuration management Preventive
    Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269 System hardening through configuration management Preventive
    Configure the "Send LanMan compatible password" setting. CC ID 05271 System hardening through configuration management Preventive
    Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993 System hardening through configuration management Preventive
    Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 System hardening through configuration management Preventive
    Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 System hardening through configuration management Preventive
    Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866 System hardening through configuration management Preventive
    Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185 System hardening through configuration management Preventive
    Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187 System hardening through configuration management Preventive
    Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296 System hardening through configuration management Preventive
    Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355 System hardening through configuration management Preventive
    Configure the authenticator display screen to organizational standards. CC ID 13794 System hardening through configuration management Preventive
    Configure the authenticator field to disallow memorized secrets found in the memorized secret list. CC ID 13808 System hardening through configuration management Preventive
    Configure the authenticator display screen to display the memorized secret as an option. CC ID 13806 System hardening through configuration management Preventive
    Configure the look-up secret authenticator to dispose of memorized secrets after their use. CC ID 13817 System hardening through configuration management Corrective
    Configure the memorized secret verifiers to refrain from allowing anonymous users to access memorized secret hints. CC ID 13823 System hardening through configuration management Preventive
    Configure the system to allow paste functionality for the authenticator field. CC ID 13819 System hardening through configuration management Preventive
    Configure the system to require successful authentication before an authenticator for a user account is changed. CC ID 13821 System hardening through configuration management Preventive
    Configure Logging settings in accordance with organizational standards. CC ID 07611 System hardening through configuration management Preventive
    Configure all logs to capture auditable events or actionable events. CC ID 06332 System hardening through configuration management Preventive
    Implement electronic storage media integrity controls. CC ID 00946 Records management Preventive
    Automate electronic storage media integrity check controls. CC ID 00948 Records management Preventive
    Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 Records management Preventive
    Nest elements appropriately in website content using markup languages. CC ID 15154 Systems design, build, and implementation Preventive
    Use valid HTML or other markup languages. CC ID 15153 Systems design, build, and implementation Preventive
    Ensure users can navigate content. CC ID 15163 Systems design, build, and implementation Preventive
    Create text content using language that is readable and is understandable. CC ID 15167 Systems design, build, and implementation Preventive
    Ensure user interface components are operable. CC ID 15162 Systems design, build, and implementation Preventive
    Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 Systems design, build, and implementation Preventive
    Allow users to reverse submissions. CC ID 15168 Systems design, build, and implementation Preventive
    Provide a mechanism to control audio. CC ID 15158 Systems design, build, and implementation Preventive
    Allow modification of style properties without loss of content or functionality. CC ID 15156 Systems design, build, and implementation Preventive
    Programmatically determine the name and role of user interface components. CC ID 15148 Systems design, build, and implementation Preventive
    Programmatically determine the language of content. CC ID 15137 Systems design, build, and implementation Preventive
    Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 Systems design, build, and implementation Preventive
    Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 Systems design, build, and implementation Preventive
    Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 Systems design, build, and implementation Preventive
    Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 Systems design, build, and implementation Preventive
    Provide captions for live audio content. CC ID 15120 Systems design, build, and implementation Preventive
    Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 Systems design, build, and implementation Preventive
    Provide labels or instructions when content requires user input. CC ID 15077 Systems design, build, and implementation Preventive
    Allow users to control auto-updating information, as necessary. CC ID 15159 Systems design, build, and implementation Preventive
    Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 Systems design, build, and implementation Preventive
    Display website content triggered by mouseover or keyboard focus. CC ID 15152 Systems design, build, and implementation Preventive
    Ensure the purpose of links can be determined through the link text. CC ID 15157 Systems design, build, and implementation Preventive
    Use a unique title that describes the topic or purpose for each web page. CC ID 15069 Systems design, build, and implementation Preventive
    Allow the use of time limits, as necessary. CC ID 15155 Systems design, build, and implementation Preventive
    Refrain from activating a change of context in a user interface component. CC ID 15115 Systems design, build, and implementation Preventive
    Configure the test environment similar to the production environment. CC ID 06837
    [Organizations should establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. § 14.2.6 Control]
    Systems design, build, and implementation Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Preventive
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Preventive
    Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 Privacy protection for information and data Preventive
  • Data and Information Management
    532
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997
    [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]
    Leadership and high level objectives Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996
    [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]
    Leadership and high level objectives Preventive
    Classify the value of information in the information classification standard. CC ID 11995
    [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]
    Leadership and high level objectives Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994
    [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]
    Leadership and high level objectives Preventive
    Address Information Security during the business planning processes. CC ID 06495
    [Information security should be addressed in project management, regardless of the type of the project. § 6.1.5 Control]
    Leadership and high level objectives Preventive
    Include the system components that generate audit records in the event logging procedures. CC ID 16426 Monitoring and measurement Preventive
    Overwrite the oldest records when audit logging fails. CC ID 14308 Monitoring and measurement Preventive
    Establish and maintain contact information for user accounts, as necessary. CC ID 15418 Technical security Preventive
    Enforce access restrictions for restricted data. CC ID 01921 Technical security Preventive
    Include the date and time that access was reviewed in the system record. CC ID 16416 Technical security Preventive
    Establish, implement, and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information. CC ID 06734 Technical security Detective
    Constrain the information flow of restricted data or restricted information. CC ID 06763 Technical security Preventive
    Quarantine data that fails security tests. CC ID 16500 Technical security Corrective
    Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 Technical security Preventive
    Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 Technical security Preventive
    Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 Technical security Preventive
    Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923 Technical security Preventive
    Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 Technical security Preventive
    Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 Technical security Preventive
    Perform content sanitization on data-in-transit. CC ID 16512 Technical security Preventive
    Perform content conversion on data-in-transit. CC ID 16510 Technical security Preventive
    Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 Technical security Preventive
    Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 Technical security Preventive
    Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 Technical security Preventive
    Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234 Technical security Preventive
    Implement the documented cryptographic module security functions. CC ID 06755 Technical security Preventive
    Establish, implement, and maintain digital signatures. CC ID 13828 Technical security Preventive
    Include the expiration date in digital signatures. CC ID 13833 Technical security Preventive
    Include audience restrictions in digital signatures. CC ID 13834 Technical security Preventive
    Include the subject in digital signatures. CC ID 13832 Technical security Preventive
    Include the issuer in digital signatures. CC ID 13831 Technical security Preventive
    Include identifiers in the digital signature. CC ID 13829 Technical security Preventive
    Encrypt in scope data or in scope information, as necessary. CC ID 04824 Technical security Preventive
    Digitally sign records and data, as necessary. CC ID 16507 Technical security Preventive
    Decrypt restricted data for the minimum time required. CC ID 12308 Technical security Preventive
    Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 Technical security Preventive
    Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 Technical security Preventive
    Protect salt values and hash values in accordance with organizational standards. CC ID 16471 Technical security Preventive
    Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 Technical security Preventive
    Generate strong cryptographic keys. CC ID 01299 Technical security Preventive
    Use approved random number generators for creating cryptographic keys. CC ID 06574 Technical security Preventive
    Disseminate and communicate cryptographic keys securely. CC ID 01300 Technical security Preventive
    Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 Technical security Preventive
    Store cryptographic keys securely. CC ID 01298 Technical security Preventive
    Restrict access to cryptographic keys. CC ID 01297 Technical security Preventive
    Store cryptographic keys in encrypted format. CC ID 06084 Technical security Preventive
    Change cryptographic keys in accordance with organizational standards. CC ID 01302 Technical security Preventive
    Destroy cryptographic keys promptly after the retention period. CC ID 01303 Technical security Preventive
    Control cryptographic keys with split knowledge and dual control. CC ID 01304 Technical security Preventive
    Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 Technical security Preventive
    Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 Technical security Corrective
    Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 Technical security Corrective
    Archive outdated cryptographic keys. CC ID 06884 Technical security Preventive
    Archive revoked cryptographic keys. CC ID 11819 Technical security Preventive
    Manage the digital signature cryptographic key pair. CC ID 06576 Technical security Preventive
    Track restricted storage media while it is in transit. CC ID 00967 Physical and environmental protection Detective
    Encrypt information stored on devices in publicly accessible areas. CC ID 16410 Physical and environmental protection Preventive
    Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 Physical and environmental protection Preventive
    Encrypt information stored on mobile devices. CC ID 01422 Physical and environmental protection Preventive
    Determine which data elements to back up. CC ID 13483 Operational and Systems Continuity Detective
    Store backup media at an off-site electronic media storage facility. CC ID 01332 Operational and Systems Continuity Preventive
    Transport backup media in lockable electronic media storage containers. CC ID 01264 Operational and Systems Continuity Preventive
    Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 Operational and Systems Continuity Preventive
    Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 Operational and Systems Continuity Preventive
    Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 Human Resources management Corrective
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Preventive
    Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 Operational management Preventive
    Record a unique name for each asset in the asset inventory. CC ID 16305 Operational management Preventive
    Record the status of information systems in the asset inventory. CC ID 16304 Operational management Preventive
    Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 Operational management Preventive
    Record software license information for each asset in the asset inventory. CC ID 11736 Operational management Preventive
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Operational management Preventive
    Record rooms at external locations in the asset inventory. CC ID 16302 Operational management Preventive
    Record trusted keys and certificates in the asset inventory. CC ID 15486 Operational management Preventive
    Record cipher suites and protocols in the asset inventory. CC ID 15489 Operational management Preventive
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Operational management Preventive
    Approve tested change requests. CC ID 11783 Operational management Preventive
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Operational management Preventive
    Establish, implement, and maintain a repository of authenticators. CC ID 16372 System hardening through configuration management Preventive
    Ensure the root account is the first entry in password files. CC ID 16323 System hardening through configuration management Detective
    Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 Records management Preventive
    Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643
    [All items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. § 11.2.7 Control]
    Records management Preventive
    Label restricted storage media appropriately. CC ID 00966 Records management Preventive
    Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 Records management Preventive
    Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 Records management Preventive
    Prevent unnecessary information from being added to client-side scripting languages. CC ID 07073 Systems design, build, and implementation Preventive
    Transmit source code securely. CC ID 06397 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Privacy protection for information and data Preventive
    Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 Privacy protection for information and data Preventive
    Deliver notices to the intended parties. CC ID 06240 Privacy protection for information and data Preventive
    Establish, implement, and maintain adequate openness procedures. CC ID 00377 Privacy protection for information and data Preventive
    Provide legal authorities access to personal data, upon request. CC ID 06818 Privacy protection for information and data Preventive
    Document the countries where restricted data may be stored. CC ID 12750 Privacy protection for information and data Preventive
    Protect the rights of students and their parents or legal representatives. CC ID 00222 Privacy protection for information and data Preventive
    Disclose educational data, as necessary. CC ID 00223 Privacy protection for information and data Preventive
    Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 Privacy protection for information and data Preventive
    Disclose education records when written consent is received. CC ID 00224 Privacy protection for information and data Preventive
    Disclose educational data absent consent to other school officials. CC ID 00226 Privacy protection for information and data Preventive
    Disclose educational data absent consent to another institution's school officials. CC ID 00227 Privacy protection for information and data Preventive
    Disclose educational data absent consent in connection with financial aid. CC ID 00229 Privacy protection for information and data Preventive
    Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 Privacy protection for information and data Preventive
    Disclose educational data absent consent to accrediting organizations. CC ID 00231 Privacy protection for information and data Preventive
    Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 Privacy protection for information and data Preventive
    Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 Privacy protection for information and data Preventive
    Disclose educational data absent consent for a health and safety emergency. CC ID 00234 Privacy protection for information and data Preventive
    Disclose educational data absent consent when it is merely directory information. CC ID 00235 Privacy protection for information and data Preventive
    Disclose educational data absent consent to a crime victim. CC ID 00236 Privacy protection for information and data Preventive
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 Privacy protection for information and data Preventive
    Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 Privacy protection for information and data Preventive
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 Privacy protection for information and data Preventive
    Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 Privacy protection for information and data Preventive
    Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 Privacy protection for information and data Preventive
    Refrain from obtaining consent through deception. CC ID 13556 Privacy protection for information and data Preventive
    Give individuals the ability to change the uses of their personal data. CC ID 00469 Privacy protection for information and data Preventive
    Notify data subjects of the implications of withdrawing consent. CC ID 13551 Privacy protection for information and data Preventive
    Cooperate with Data Protection Authorities. CC ID 06870 Privacy protection for information and data Preventive
    Display or print the least amount of personal data necessary. CC ID 04643 Privacy protection for information and data Preventive
    Redact confidential information from public information, as necessary. CC ID 06872 Privacy protection for information and data Preventive
    Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 Privacy protection for information and data Preventive
    Dispose of media and restricted data in a timely manner. CC ID 00125 Privacy protection for information and data Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Privacy protection for information and data Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Preventive
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Privacy protection for information and data Preventive
    Delay responding to data access requests, as necessary. CC ID 15504 Privacy protection for information and data Preventive
    Expedite the processing of data access requests, as necessary. CC ID 15496 Privacy protection for information and data Preventive
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Privacy protection for information and data Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Preventive
    Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 Privacy protection for information and data Preventive
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 Privacy protection for information and data Preventive
    Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 Privacy protection for information and data Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Privacy protection for information and data Preventive
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Privacy protection for information and data Preventive
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Privacy protection for information and data Preventive
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Privacy protection for information and data Preventive
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Privacy protection for information and data Preventive
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Privacy protection for information and data Preventive
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Privacy protection for information and data Preventive
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Privacy protection for information and data Preventive
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Privacy protection for information and data Preventive
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Privacy protection for information and data Preventive
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Privacy protection for information and data Preventive
    Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 Privacy protection for information and data Preventive
    Process traffic data in a controlled manner. CC ID 00130 Privacy protection for information and data Preventive
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Privacy protection for information and data Preventive
    Process personal data when it is publicly accessible. CC ID 00187 Privacy protection for information and data Preventive
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Privacy protection for information and data Preventive
    Process personal data for the purposes of employment. CC ID 16527 Privacy protection for information and data Preventive
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Privacy protection for information and data Preventive
    Process personal data for debt collection or benefit payments. CC ID 00190 Privacy protection for information and data Preventive
    Process personal data in order to advance the public interest. CC ID 00191 Privacy protection for information and data Preventive
    Process personal data for surveys, archives, or scientific research. CC ID 00192 Privacy protection for information and data Preventive
    Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 Privacy protection for information and data Preventive
    Process personal data for academic purposes or religious purposes. CC ID 00194 Privacy protection for information and data Preventive
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Privacy protection for information and data Preventive
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Privacy protection for information and data Preventive
    Follow legal obligations while processing personal data. CC ID 04794 Privacy protection for information and data Preventive
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Privacy protection for information and data Preventive
    Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 Privacy protection for information and data Preventive
    Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 Privacy protection for information and data Preventive
    Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 Privacy protection for information and data Preventive
    Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 Privacy protection for information and data Preventive
    Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 Privacy protection for information and data Preventive
    Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 Privacy protection for information and data Preventive
    Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 Privacy protection for information and data Preventive
    Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 Privacy protection for information and data Preventive
    Process personal data absent consent in order to perform a contract. CC ID 13586 Privacy protection for information and data Preventive
    Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 Privacy protection for information and data Preventive
    Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 Privacy protection for information and data Preventive
    Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 Privacy protection for information and data Preventive
    Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 Privacy protection for information and data Preventive
    Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 Privacy protection for information and data Preventive
    Process personal data absent consent when it is needed by law. CC ID 13577 Privacy protection for information and data Preventive
    Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 Privacy protection for information and data Preventive
    Process personal data absent consent when it is from publicly available information. CC ID 13576 Privacy protection for information and data Preventive
    Process personal data absent consent to create a credit report. CC ID 15288 Privacy protection for information and data Preventive
    Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 Privacy protection for information and data Preventive
    Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 Privacy protection for information and data Preventive
    Process personal data absent consent when produced for business purposes. CC ID 13563 Privacy protection for information and data Preventive
    Process personal data absent consent for handling insurance claims. CC ID 13561 Privacy protection for information and data Preventive
    Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 Privacy protection for information and data Preventive
    Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 Privacy protection for information and data Preventive
    Process personal data absent consent for life-threatening emergencies. CC ID 13558 Privacy protection for information and data Preventive
    Process personal data absent consent for reasonable investigative purposes. CC ID 13557 Privacy protection for information and data Preventive
    Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 Privacy protection for information and data Preventive
    Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 Privacy protection for information and data Detective
    Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when the law does not require consent. CC ID 00136 Privacy protection for information and data Preventive
    Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 Privacy protection for information and data Preventive
    Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 Privacy protection for information and data Preventive
    Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 Privacy protection for information and data Preventive
    Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 Privacy protection for information and data Preventive
    Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 Privacy protection for information and data Preventive
    Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 Privacy protection for information and data Preventive
    Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 Privacy protection for information and data Preventive
    Disclose personal data absent consent to create a credit report. CC ID 15297 Privacy protection for information and data Preventive
    Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 Privacy protection for information and data Preventive
    Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 Privacy protection for information and data Preventive
    Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 Privacy protection for information and data Preventive
    Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 Privacy protection for information and data Preventive
    Disclose personal data absent consent for handling insurance claims. CC ID 13585 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 Privacy protection for information and data Preventive
    Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 Privacy protection for information and data Preventive
    Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 Privacy protection for information and data Preventive
    Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 Privacy protection for information and data Preventive
    Disclose restricted data absent consent in order to perform a contract. CC ID 00139 Privacy protection for information and data Preventive
    Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 Privacy protection for information and data Preventive
    Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 Privacy protection for information and data Preventive
    Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 Privacy protection for information and data Preventive
    Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 Privacy protection for information and data Preventive
    Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 Privacy protection for information and data Preventive
    Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 Privacy protection for information and data Preventive
    Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 Privacy protection for information and data Preventive
    Disclose restricted data absent consent for public economic interests. CC ID 00148 Privacy protection for information and data Preventive
    Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 Privacy protection for information and data Preventive
    Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 Privacy protection for information and data Preventive
    Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 Privacy protection for information and data Preventive
    Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 Privacy protection for information and data Preventive
    Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 Privacy protection for information and data Preventive
    Disclose restricted data absent consent when it is needed by law. CC ID 00163 Privacy protection for information and data Preventive
    Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 Privacy protection for information and data Preventive
    Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 Privacy protection for information and data Preventive
    Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 Privacy protection for information and data Preventive
    Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 Privacy protection for information and data Preventive
    Limit the redisclosure and reuse of restricted data. CC ID 00168 Privacy protection for information and data Preventive
    Refrain from redisclosing or reusing restricted data. CC ID 00169 Privacy protection for information and data Preventive
    Redisclose restricted data when the data subject consents. CC ID 00171 Privacy protection for information and data Preventive
    Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 Privacy protection for information and data Preventive
    Redisclose restricted data in order to protect public revenue. CC ID 00173 Privacy protection for information and data Preventive
    Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 Privacy protection for information and data Preventive
    Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 Privacy protection for information and data Preventive
    Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 Privacy protection for information and data Preventive
    Redisclose restricted data in order to preserve human life at sea. CC ID 00177 Privacy protection for information and data Preventive
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 Privacy protection for information and data Preventive
    Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 Privacy protection for information and data Preventive
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Privacy protection for information and data Preventive
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Privacy protection for information and data Preventive
    Process Personal Identification Numbers with consent. CC ID 00239 Privacy protection for information and data Preventive
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Privacy protection for information and data Preventive
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Privacy protection for information and data Preventive
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Privacy protection for information and data Preventive
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Privacy protection for information and data Preventive
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Privacy protection for information and data Preventive
    Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 Privacy protection for information and data Preventive
    Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 Privacy protection for information and data Preventive
    Review personal data disclosure requests. CC ID 07129 Privacy protection for information and data Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 Privacy protection for information and data Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Privacy protection for information and data Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Privacy protection for information and data Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Privacy protection for information and data Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Privacy protection for information and data Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Privacy protection for information and data Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 Privacy protection for information and data Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Privacy protection for information and data Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Privacy protection for information and data Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Privacy protection for information and data Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Privacy protection for information and data Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Privacy protection for information and data Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Privacy protection for information and data Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Privacy protection for information and data Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Privacy protection for information and data Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Privacy protection for information and data Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Privacy protection for information and data Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Privacy protection for information and data Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Privacy protection for information and data Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Privacy protection for information and data Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Privacy protection for information and data Preventive
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 Privacy protection for information and data Preventive
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Privacy protection for information and data Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 Privacy protection for information and data Preventive
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Privacy protection for information and data Preventive
    Provide data or records in a reasonable time frame. CC ID 00429 Privacy protection for information and data Preventive
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Privacy protection for information and data Preventive
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Privacy protection for information and data Preventive
    Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 Privacy protection for information and data Preventive
    Provide data at a cost that is not excessive. CC ID 00430 Privacy protection for information and data Preventive
    Provide records or data in a reasonable manner. CC ID 00431 Privacy protection for information and data Preventive
    Provide personal data in a form that is intelligible. CC ID 00432 Privacy protection for information and data Preventive
    Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Privacy protection for information and data Preventive
    Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Privacy protection for information and data Preventive
    Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 Privacy protection for information and data Preventive
    Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 Privacy protection for information and data Preventive
    Refrain from collecting personal data, as necessary. CC ID 15269 Privacy protection for information and data Preventive
    Use personal data for specified purposes. CC ID 11831 Privacy protection for information and data Preventive
    Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 Privacy protection for information and data Preventive
    Provide explicit consent that is clear and unambiguous. CC ID 00181 Privacy protection for information and data Preventive
    Allow individuals to change their personal data collection consent preferences. CC ID 06946 Privacy protection for information and data Preventive
    Adhere to each individual's personal data collection consent preferences. CC ID 06947 Privacy protection for information and data Preventive
    Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 Privacy protection for information and data Preventive
    Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 Privacy protection for information and data Preventive
    Include an individual's name in the personal data definition. CC ID 04710 Privacy protection for information and data Preventive
    Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 Privacy protection for information and data Preventive
    Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 Privacy protection for information and data Preventive
    Include an individual's signature in the personal data definition. CC ID 04711 Privacy protection for information and data Preventive
    Include an individual's date of birth in the personal data definition. CC ID 04770 Privacy protection for information and data Preventive
    Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 Privacy protection for information and data Preventive
    Include an individual's biometric data in the personal data definition. CC ID 04698 Privacy protection for information and data Preventive
    Include an individual's photographic image in the personal data definition. CC ID 04779 Privacy protection for information and data Preventive
    Include an individual's fingerprints in the personal data definition. CC ID 04689 Privacy protection for information and data Preventive
    Include an individual's address in the personal data definition. CC ID 04687 Privacy protection for information and data Preventive
    Include an individual's telephone number in the personal data definition. CC ID 04688 Privacy protection for information and data Preventive
    Include an individual's fax number in the personal data definition. CC ID 07120 Privacy protection for information and data Preventive
    Include an individual's financial account number in the personal data definition. CC ID 04692 Privacy protection for information and data Preventive
    Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 Privacy protection for information and data Preventive
    Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 Privacy protection for information and data Preventive
    Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 Privacy protection for information and data Preventive
    Include an individual's passport number in the personal data definition. CC ID 04713 Privacy protection for information and data Preventive
    Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 Privacy protection for information and data Preventive
    Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 Privacy protection for information and data Preventive
    Include an individual's e-mail address in the personal data definition. CC ID 04696 Privacy protection for information and data Preventive
    Include electronic signatures in the personal data definition. CC ID 04697 Privacy protection for information and data Preventive
    Include an individual's payment card information in the personal data definition. CC ID 04751 Privacy protection for information and data Preventive
    Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 Privacy protection for information and data Preventive
    Include an individual's payment card service code in the personal data definition. CC ID 04753 Privacy protection for information and data Preventive
    Include an individual's payment card expiration date in the personal data definition. CC ID 04755 Privacy protection for information and data Preventive
    Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 Privacy protection for information and data Preventive
    Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 Privacy protection for information and data Preventive
    Include an individual's medical history in the personal data definition. CC ID 04701 Privacy protection for information and data Preventive
    Include an individual's medical treatment in the personal data definition. CC ID 04702 Privacy protection for information and data Preventive
    Include an individual's medical diagnosis in the personal data definition. CC ID 04703 Privacy protection for information and data Preventive
    Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 Privacy protection for information and data Preventive
    Include an individual's medical record numbers in the personal data definition. CC ID 07121 Privacy protection for information and data Preventive
    Include an individual's health insurance information in the personal data definition. CC ID 04705 Privacy protection for information and data Preventive
    Include an individual's health insurance policy number in the personal data definition. CC ID 04706 Privacy protection for information and data Preventive
    Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 Privacy protection for information and data Preventive
    Include an individual's education information in the personal data definition. CC ID 04714 Privacy protection for information and data Preventive
    Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 Privacy protection for information and data Preventive
    Include an individual's employment information in the personal data definition. CC ID 04715 Privacy protection for information and data Preventive
    Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 Privacy protection for information and data Preventive
    Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 Privacy protection for information and data Preventive
    Include an individual's employment history in the personal data definition. CC ID 04716 Privacy protection for information and data Preventive
    Include an individual's place of employment in the personal data definition. CC ID 04765 Privacy protection for information and data Preventive
    Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 Privacy protection for information and data Preventive
    Include an individual's property information in the personal data definition. CC ID 04780 Privacy protection for information and data Preventive
    Include an individual's property title in the personal data definition. CC ID 04781 Privacy protection for information and data Preventive
    Include an individual's vehicle registration in the personal data definition. CC ID 04782 Privacy protection for information and data Preventive
    Include hardware asset identification information in the personal data definition. CC ID 07123 Privacy protection for information and data Preventive
    Include MAC addresses in the personal data definition. CC ID 04778 Privacy protection for information and data Preventive
    Include Internet Protocol addresses in the personal data definition. CC ID 04777 Privacy protection for information and data Preventive
    Include asset serial numbers in the personal data definition. CC ID 07124 Privacy protection for information and data Preventive
    Include Uniform Resource Locators in the personal data definition. CC ID 07125 Privacy protection for information and data Preventive
    Define specially restricted data. CC ID 00037 Privacy protection for information and data Preventive
    Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 Privacy protection for information and data Preventive
    Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 Privacy protection for information and data Preventive
    Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 Privacy protection for information and data Preventive
    Implement a nondiscrimination principle. CC ID 00081 Privacy protection for information and data Preventive
    Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 Privacy protection for information and data Preventive
    Preserve each individual's right to human dignity. CC ID 00082 Privacy protection for information and data Preventive
    Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers with the individual's consent. CC ID 00059 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 Privacy protection for information and data Preventive
    Manage health data collection. CC ID 00050 Privacy protection for information and data Preventive
    Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 Privacy protection for information and data Preventive
    Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 Privacy protection for information and data Preventive
    Collect Individually Identifiable Health Information for research. CC ID 00054 Privacy protection for information and data Preventive
    Remove personal data before disclosing health data. CC ID 00055 Privacy protection for information and data Preventive
    Give special attention to collecting children's data. CC ID 00038 Privacy protection for information and data Preventive
    Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 Privacy protection for information and data Preventive
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 Privacy protection for information and data Preventive
    Collect personal data directly from the data subject. CC ID 00011 Privacy protection for information and data Preventive
    Create and manage user account aliases to maintain pseudonymity. CC ID 04549 Privacy protection for information and data Preventive
    Provide unlinkability for users and resources. CC ID 04550 Privacy protection for information and data Preventive
    Collect restricted data in a fair and lawful manner. CC ID 00010 Privacy protection for information and data Preventive
    Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 Privacy protection for information and data Preventive
    Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 Privacy protection for information and data Preventive
    Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to make a disclosure. CC ID 13550 Privacy protection for information and data Preventive
    Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 Privacy protection for information and data Preventive
    Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 Privacy protection for information and data Preventive
    Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 Privacy protection for information and data Preventive
    Collect personal data absent consent for handling insurance claims. CC ID 13543 Privacy protection for information and data Preventive
    Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 Privacy protection for information and data Preventive
    Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 Privacy protection for information and data Preventive
    Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 Privacy protection for information and data Preventive
    Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 Privacy protection for information and data Preventive
    Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 Privacy protection for information and data Preventive
    Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 Privacy protection for information and data Preventive
    Collect restricted data absent consent from publicly available information. CC ID 00019 Privacy protection for information and data Preventive
    Collect restricted data absent consent when needed by law. CC ID 00020 Privacy protection for information and data Preventive
    Collect personal data absent consent to create a credit report. CC ID 15287 Privacy protection for information and data Preventive
    Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 Privacy protection for information and data Preventive
    Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 Privacy protection for information and data Preventive
    Collect the minimum amount of restricted data necessary. CC ID 00078 Privacy protection for information and data Preventive
    Collect restricted data in a proper information framework. CC ID 00009 Privacy protection for information and data Preventive
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 Privacy protection for information and data Preventive
    Collect restricted data when required by law. CC ID 00031 Privacy protection for information and data Preventive
    Collect restricted data to prevent life-threatening emergencies. CC ID 00032 Privacy protection for information and data Preventive
    Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 Privacy protection for information and data Preventive
    Collect restricted data for legal purposes. CC ID 00036 Privacy protection for information and data Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Privacy protection for information and data Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Privacy protection for information and data Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Preventive
    Limit data leakage. CC ID 00356 Privacy protection for information and data Preventive
    Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 Privacy protection for information and data Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Privacy protection for information and data Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Privacy protection for information and data Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Privacy protection for information and data Detective
    Include text about data ownership in the data handling policy. CC ID 15720 Privacy protection for information and data Preventive
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 Privacy protection for information and data Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Privacy protection for information and data Preventive
    Store de-identifying code and re-identifying code separately. CC ID 16535 Privacy protection for information and data Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Privacy protection for information and data Preventive
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Privacy protection for information and data Preventive
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Privacy protection for information and data Preventive
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Privacy protection for information and data Preventive
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Privacy protection for information and data Preventive
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Privacy protection for information and data Preventive
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Privacy protection for information and data Preventive
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Privacy protection for information and data Preventive
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Privacy protection for information and data Preventive
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Privacy protection for information and data Preventive
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Privacy protection for information and data Preventive
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Privacy protection for information and data Preventive
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Privacy protection for information and data Preventive
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Privacy protection for information and data Preventive
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Privacy protection for information and data Preventive
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Privacy protection for information and data Preventive
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Privacy protection for information and data Preventive
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Privacy protection for information and data Preventive
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Privacy protection for information and data Preventive
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Privacy protection for information and data Preventive
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Privacy protection for information and data Preventive
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Privacy protection for information and data Preventive
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Privacy protection for information and data Preventive
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Privacy protection for information and data Preventive
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Privacy protection for information and data Preventive
    Obtain consent from an individual prior to transferring personal data. CC ID 06948 Privacy protection for information and data Preventive
    Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 Privacy protection for information and data Preventive
    Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 Privacy protection for information and data Preventive
    Prohibit the transfer of personal data when security is inadequate. CC ID 00345 Privacy protection for information and data Preventive
    Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 Privacy protection for information and data Preventive
    Refrain from transferring past the first transfer. CC ID 00347 Privacy protection for information and data Preventive
    Allow the data subject the right to object to the personal data transfer. CC ID 00349 Privacy protection for information and data Preventive
    Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 Privacy protection for information and data Preventive
    Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 Privacy protection for information and data Preventive
    Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 Privacy protection for information and data Preventive
    Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 Privacy protection for information and data Preventive
    Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 Privacy protection for information and data Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 Privacy protection for information and data Preventive
    Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 Privacy protection for information and data Preventive
    Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 Privacy protection for information and data Preventive
    Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 Privacy protection for information and data Preventive
    Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 Privacy protection for information and data Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 Privacy protection for information and data Preventive
    Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 Privacy protection for information and data Preventive
    Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 Privacy protection for information and data Preventive
    Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 Privacy protection for information and data Preventive
    Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 Privacy protection for information and data Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 Privacy protection for information and data Preventive
    Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 Privacy protection for information and data Preventive
    Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 Privacy protection for information and data Preventive
    Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 Privacy protection for information and data Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 Privacy protection for information and data Preventive
    Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 Privacy protection for information and data Preventive
    Obtain consent prior to downloading software to an individual's computer. CC ID 06951 Privacy protection for information and data Preventive
    Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 Privacy protection for information and data Preventive
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Preventive
    Implement procedures to file privacy rights violation complaints. CC ID 00476 Privacy protection for information and data Corrective
    Change or destroy any personal data that is incorrect. CC ID 00462 Privacy protection for information and data Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Privacy protection for information and data Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Privacy protection for information and data Corrective
    Notify individuals of their right to challenge personal data. CC ID 00457 Privacy protection for information and data Preventive
    Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 Privacy protection for information and data Preventive
    Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 Privacy protection for information and data Preventive
    Investigate the disputed accuracy of personal data. CC ID 00461 Privacy protection for information and data Preventive
    Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 Privacy protection for information and data Corrective
    Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 Privacy protection for information and data Corrective
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 Third Party and supply chain oversight Detective
  • Establish Roles
    31
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Leadership and high level objectives Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Leadership and high level objectives Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765 Leadership and high level objectives Detective
    Define and assign log management roles and responsibilities. CC ID 06311 Monitoring and measurement Preventive
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Technical security Preventive
    Assign appropriate roles for enabling or disabling information flow controls. CC ID 06760 Technical security Preventive
    Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 Technical security Preventive
    Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 Technical security Preventive
    Employ security guards to provide physical security, as necessary. CC ID 06653 Physical and environmental protection Preventive
    Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 Operational and Systems Continuity Preventive
    Include restoration procedures in the continuity plan. CC ID 01169 Operational and Systems Continuity Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Operational management Preventive
    Classify assets according to the Asset Classification Policy. CC ID 07186 Operational management Preventive
    Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 Operational management Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652
    [{management procedures} Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents. § 16.1.1 Control]
    Operational management Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Operational management Preventive
    Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 Operational management Preventive
    Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 Operational management Preventive
    Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 Operational management Preventive
    Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 Operational management Preventive
    Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 Operational management Preventive
    Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 Operational management Preventive
    Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 Operational management Preventive
    Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 Operational management Preventive
    Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 Operational management Preventive
    Define and assign the system development project team roles and responsibilities. CC ID 01061 Systems design, build, and implementation Preventive
    Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062 Systems design, build, and implementation Preventive
    Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063 Systems design, build, and implementation Preventive
    Include roles and responsibilities in the registration notice. CC ID 16803 Privacy protection for information and data Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Preventive
    Process restricted data lawfully and carefully. CC ID 00086 Privacy protection for information and data Preventive
  • Establish/Maintain Documentation
    1015
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain organizational objectives. CC ID 09959 Leadership and high level objectives Preventive
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 Leadership and high level objectives Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Leadership and high level objectives Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Leadership and high level objectives Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Leadership and high level objectives Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Leadership and high level objectives Preventive
    Establish and maintain an Authority Document list. CC ID 07113
    [All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control
    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control]
    Leadership and high level objectives Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Leadership and high level objectives Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Leadership and high level objectives Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 Leadership and high level objectives Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Leadership and high level objectives Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Leadership and high level objectives Preventive
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Leadership and high level objectives Preventive
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Leadership and high level objectives Preventive
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Leadership and high level objectives Corrective
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Leadership and high level objectives Preventive
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Leadership and high level objectives Preventive
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Leadership and high level objectives Preventive
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Leadership and high level objectives Preventive
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Leadership and high level objectives Preventive
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Leadership and high level objectives Detective
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Leadership and high level objectives Preventive
    Establish, implement, and maintain an audit and accountability policy. CC ID 14035 Monitoring and measurement Preventive
    Include compliance requirements in the audit and accountability policy. CC ID 14103 Monitoring and measurement Preventive
    Include coordination amongst entities in the audit and accountability policy. CC ID 14102 Monitoring and measurement Preventive
    Include the purpose in the audit and accountability policy. CC ID 14100 Monitoring and measurement Preventive
    Include roles and responsibilities in the audit and accountability policy. CC ID 14098 Monitoring and measurement Preventive
    Include management commitment in the audit and accountability policy. CC ID 14097 Monitoring and measurement Preventive
    Include the scope in the audit and accountability policy. CC ID 14096 Monitoring and measurement Preventive
    Establish, implement, and maintain audit and accountability procedures. CC ID 14057 Monitoring and measurement Preventive
    Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 Monitoring and measurement Preventive
    Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 Monitoring and measurement Preventive
    Establish, implement, and maintain an event logging policy. CC ID 15217 Monitoring and measurement Preventive
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Monitoring and measurement Corrective
    Include identity information of suspects in the suspicious activity report. CC ID 16648 Monitoring and measurement Preventive
    Review and update the list of auditable events in the event logging procedures. CC ID 10097 Monitoring and measurement Preventive
    Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 Monitoring and measurement Corrective
    Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 Monitoring and measurement Detective
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Monitoring and measurement Preventive
    Establish, implement, and maintain a vulnerability management program. CC ID 15721 Monitoring and measurement Preventive
    Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 Monitoring and measurement Preventive
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Preventive
    Establish, implement, and maintain a log management program. CC ID 00673 Monitoring and measurement Preventive
    Establish, implement, and maintain an audit program. CC ID 00684 Audits and risk management Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965
    [Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes. § 12.7.1 Control]
    Audits and risk management Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 Audits and risk management Preventive
    Include audit subject matter in the audit program. CC ID 07103 Audits and risk management Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Audits and risk management Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Audits and risk management Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Audits and risk management Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Audits and risk management Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Audits and risk management Preventive
    Include in scope information in the audit program. CC ID 16198 Audits and risk management Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Audits and risk management Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Audits and risk management Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Audits and risk management Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Audits and risk management Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Audits and risk management Preventive
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Audits and risk management Preventive
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Audits and risk management Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Audits and risk management Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Audits and risk management Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Audits and risk management Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Audits and risk management Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Audits and risk management Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Audits and risk management Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Audits and risk management Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Audits and risk management Preventive
    Establish and maintain audit assertions, as necessary. CC ID 14871 Audits and risk management Detective
    Include an in scope system description in the audit assertion. CC ID 14872 Audits and risk management Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Audits and risk management Preventive
    Include investigations and legal proceedings in the audit assertion. CC ID 16846 Audits and risk management Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Audits and risk management Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Audits and risk management Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Audits and risk management Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Audits and risk management Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Audits and risk management Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Audits and risk management Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Audits and risk management Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Audits and risk management Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Audits and risk management Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Audits and risk management Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Audits and risk management Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Audits and risk management Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Audits and risk management Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Audits and risk management Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Audits and risk management Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Audits and risk management Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Audits and risk management Preventive
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 Audits and risk management Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Audits and risk management Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Audits and risk management Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Audits and risk management Corrective
    Establish, implement, and maintain a risk management program. CC ID 12051 Audits and risk management Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]
    Audits and risk management Corrective
    Review and approve the risk assessment findings. CC ID 06485 Audits and risk management Preventive
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Preventive
    Establish, implement, and maintain access control policies. CC ID 00512
    [{business requirements} An access control policy should be established, documented and reviewed based on business and information security requirements. § 9.1.1 Control
    {business requirements} An access control policy should be established, documented and reviewed based on business and information security requirements. § 9.1.1 Control]
    Technical security Preventive
    Include compliance requirements in the access control policy. CC ID 14006 Technical security Preventive
    Include coordination amongst entities in the access control policy. CC ID 14005 Technical security Preventive
    Include management commitment in the access control policy. CC ID 14004 Technical security Preventive
    Include roles and responsibilities in the access control policy. CC ID 14003 Technical security Preventive
    Include the scope in the access control policy. CC ID 14002 Technical security Preventive
    Include the purpose in the access control policy. CC ID 14001 Technical security Preventive
    Document the business need justification for user accounts. CC ID 15490 Technical security Preventive
    Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 Technical security Preventive
    Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 Technical security Preventive
    Establish, implement, and maintain an access rights management plan. CC ID 00513
    [A formal user registration and de-registration process should be implemented to enable assignment of access rights. § 9.2.1 Control]
    Technical security Preventive
    Inventory all user accounts. CC ID 13732 Technical security Preventive
    Add all devices requiring access control to the Access Control List. CC ID 06264 Technical security Preventive
    Include the objects and users subject to access control in the security policy. CC ID 11836 Technical security Preventive
    Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 Technical security Preventive
    Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 Technical security Preventive
    Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 Technical security Preventive
    Establish and maintain a Digital Rights Management program. CC ID 07093 Technical security Preventive
    Establish, implement, and maintain an authority for access authorization list. CC ID 06782 Technical security Preventive
    Establish, implement, and maintain a password policy. CC ID 16346 Technical security Preventive
    Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 Technical security Preventive
    Establish, implement, and maintain biometric collection procedures. CC ID 15419 Technical security Preventive
    Document the business need justification for authentication data storage. CC ID 06325 Technical security Preventive
    Establish, implement, and maintain access control procedures. CC ID 11663
    [Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure. § 9.4.2 Control]
    Technical security Preventive
    Document approving and granting access in the access control log. CC ID 06786 Technical security Preventive
    Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 Technical security Preventive
    Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 Technical security Preventive
    Include the date and time that access rights were changed in the system record. CC ID 16415 Technical security Preventive
    Establish, implement, and maintain a network configuration standard. CC ID 00530 Technical security Preventive
    Establish, implement, and maintain a network security policy. CC ID 06440
    [Networks should be managed and controlled to protect information in systems and applications. § 13.1.1 Control]
    Technical security Preventive
    Include compliance requirements in the network security policy. CC ID 14205 Technical security Preventive
    Include coordination amongst entities in the network security policy. CC ID 14204 Technical security Preventive
    Include management commitment in the network security policy. CC ID 14203 Technical security Preventive
    Include roles and responsibilities in the network security policy. CC ID 14202 Technical security Preventive
    Include the scope in the network security policy. CC ID 14201 Technical security Preventive
    Include the purpose in the network security policy. CC ID 14200 Technical security Preventive
    Establish, implement, and maintain system and communications protection procedures. CC ID 14052 Technical security Preventive
    Establish, implement, and maintain a wireless networking policy. CC ID 06732 Technical security Preventive
    Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 Technical security Preventive
    Establish, implement, and maintain information flow control configuration standards. CC ID 01924 Technical security Preventive
    Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 Technical security Preventive
    Develop and implement a content filtering word and phrase library. CC ID 07071 Technical security Preventive
    Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410
    [{data transfer policies} {data transfer procedures} {data transfer controls} Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. § 13.2.1 Control]
    Technical security Preventive
    Establish, implement, and maintain a document printing policy. CC ID 14384 Technical security Preventive
    Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 Technical security Preventive
    Establish, implement, and maintain information flow procedures. CC ID 04542
    [{data transfer policies} {data transfer procedures} {data transfer controls} Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. § 13.2.1 Control]
    Technical security Preventive
    Establish, implement, and maintain information exchange procedures. CC ID 11782 Technical security Preventive
    Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 Technical security Preventive
    Revoke membership in the whitelist, as necessary. CC ID 13827 Technical security Corrective
    Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 Technical security Preventive
    Establish, implement, and maintain a remote access and teleworking program. CC ID 04545
    [A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites. § 6.2.2 Control]
    Technical security Preventive
    Include information security requirements in the remote access and teleworking program. CC ID 15704 Technical security Preventive
    Document and approve requests to bypass multifactor authentication. CC ID 15464 Technical security Preventive
    Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 Technical security Preventive
    Define the cryptographic boundaries. CC ID 06543 Technical security Preventive
    Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 Technical security Preventive
    Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 Technical security Preventive
    Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 Technical security Preventive
    Document the operation of the cryptographic module. CC ID 06546 Technical security Preventive
    Generate and protect a secret random number for each digital signature. CC ID 06577 Technical security Preventive
    Establish the security strength requirements for the digital signature process. CC ID 06578 Technical security Preventive
    Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546
    [A policy on the use of cryptographic controls for protection of information should be developed and implemented. § 10.1.1 Control
    A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle. § 10.1.2 Control]
    Technical security Preventive
    Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 Technical security Preventive
    Establish, implement, and maintain encryption management procedures. CC ID 15475 Technical security Preventive
    Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 Technical security Preventive
    Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 Technical security Preventive
    Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 Technical security Preventive
    Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 Technical security Preventive
    Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 Technical security Preventive
    Require key custodians to sign the cryptographic key management policy. CC ID 01308 Technical security Preventive
    Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 Technical security Preventive
    Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 Technical security Preventive
    Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 Technical security Preventive
    Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 Technical security Preventive
    Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 Technical security Preventive
    Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 Technical security Preventive
    Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 Technical security Preventive
    Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 Technical security Preventive
    Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 Technical security Preventive
    Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 Technical security Preventive
    Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 Technical security Preventive
    Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 Technical security Preventive
    Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 Technical security Preventive
    Establish, implement, and maintain a malicious code protection program. CC ID 00574 Technical security Preventive
    Establish, implement, and maintain a physical security program. CC ID 11757 Physical and environmental protection Preventive
    Establish, implement, and maintain a facility physical security program. CC ID 00711
    [Physical security for offices, rooms and facilities should be designed and applied. § 11.1.3 Control]
    Physical and environmental protection Preventive
    Establish, implement, and maintain opening procedures for businesses. CC ID 16671 Physical and environmental protection Preventive
    Establish, implement, and maintain closing procedures for businesses. CC ID 16670 Physical and environmental protection Preventive
    Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 Physical and environmental protection Preventive
    Define communication methods for reporting crimes. CC ID 06349 Physical and environmental protection Preventive
    Include identification cards or badges in the physical security program. CC ID 14818 Physical and environmental protection Preventive
    Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 Physical and environmental protection Preventive
    Establish, implement, and maintain floor plans. CC ID 16419 Physical and environmental protection Preventive
    Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 Physical and environmental protection Preventive
    Post and maintain security signage for all facilities. CC ID 02201 Physical and environmental protection Preventive
    Identify and document physical access controls for all physical entry points. CC ID 01637
    [Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.2 Control]
    Physical and environmental protection Preventive
    Establish, implement, and maintain physical access procedures. CC ID 13629 Physical and environmental protection Preventive
    Establish, implement, and maintain a visitor access permission policy. CC ID 06699 Physical and environmental protection Preventive
    Escort visitors within the facility, as necessary. CC ID 06417 Physical and environmental protection Preventive
    Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 Physical and environmental protection Preventive
    Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 Physical and environmental protection Preventive
    Authorize physical access to sensitive areas based on job functions. CC ID 12462 Physical and environmental protection Preventive
    Establish, implement, and maintain physical identification procedures. CC ID 00713 Physical and environmental protection Preventive
    Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 Physical and environmental protection Preventive
    Document all lost badges in a lost badge list. CC ID 12448 Physical and environmental protection Corrective
    Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 Physical and environmental protection Preventive
    Include error handling controls in identification issuance procedures. CC ID 13709 Physical and environmental protection Preventive
    Include information security in the identification issuance procedures. CC ID 15425 Physical and environmental protection Preventive
    Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 Physical and environmental protection Preventive
    Include an identity registration process in the identification issuance procedures. CC ID 11671 Physical and environmental protection Preventive
    Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 Physical and environmental protection Preventive
    Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 Physical and environmental protection Preventive
    Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 Physical and environmental protection Preventive
    Establish, implement, and maintain a door security standard. CC ID 06686 Physical and environmental protection Preventive
    Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 Physical and environmental protection Preventive
    Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 Physical and environmental protection Preventive
    Establish, implement, and maintain a window security standard. CC ID 06689 Physical and environmental protection Preventive
    Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 Physical and environmental protection Preventive
    Establish, implement, and maintain after hours facility access procedures. CC ID 06340 Physical and environmental protection Preventive
    Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538
    [Procedures for working in secure areas should be designed and applied. § 11.1.5 Control]
    Physical and environmental protection Preventive
    Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 Physical and environmental protection Preventive
    Establish, implement, and maintain emergency exit procedures. CC ID 01252 Physical and environmental protection Preventive
    Establish, Implement, and maintain a camera operating policy. CC ID 15456 Physical and environmental protection Preventive
    Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 Physical and environmental protection Preventive
    Record the date and time of entry in the visitor log. CC ID 13255 Physical and environmental protection Preventive
    Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 Physical and environmental protection Preventive
    Establish, implement, and maintain a physical access log. CC ID 12080 Physical and environmental protection Preventive
    Establish, implement, and maintain physical security threat reports. CC ID 02207 Physical and environmental protection Preventive
    Establish, implement, and maintain a facility wall standard. CC ID 06692 Physical and environmental protection Preventive
    Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 Physical and environmental protection Preventive
    Establish, implement, and maintain end user computing device security guidelines. CC ID 00719
    [Users should ensure that unattended equipment has appropriate protection. § 11.2.8 Control]
    Physical and environmental protection Preventive
    Establish, implement, and maintain a locking screen saver policy. CC ID 06717 Physical and environmental protection Preventive
    Establish, implement, and maintain mobile device security guidelines. CC ID 04723
    [A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices. § 6.2.1 Control
    A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices. § 6.2.1 Control]
    Physical and environmental protection Preventive
    Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 Physical and environmental protection Preventive
    Include legal requirements in the mobile device security guidelines. CC ID 12291 Physical and environmental protection Preventive
    Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 Physical and environmental protection Preventive
    Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 Physical and environmental protection Preventive
    Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 Physical and environmental protection Preventive
    Establish, implement, and maintain asset return procedures. CC ID 04537 Physical and environmental protection Preventive
    Establish, implement, and maintain a clean desk policy. CC ID 06534
    [A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. § 11.2.9 Control]
    Physical and environmental protection Preventive
    Establish, implement, and maintain clean energy standards. CC ID 16285 Physical and environmental protection Preventive
    Establish, implement, and maintain environmental control procedures. CC ID 12246 Physical and environmental protection Preventive
    Establish, implement, and maintain facility maintenance procedures. CC ID 00710 Physical and environmental protection Preventive
    Define selection criteria for facility locations. CC ID 06351 Physical and environmental protection Preventive
    Establish, implement, and maintain facility demolition procedures. CC ID 16133 Physical and environmental protection Preventive
    Establish, implement, and maintain work environment requirements. CC ID 06613 Physical and environmental protection Preventive
    Establish, implement, and maintain system cleanliness requirements. CC ID 06614 Physical and environmental protection Preventive
    Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 Physical and environmental protection Preventive
    Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 Physical and environmental protection Preventive
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a continuity framework. CC ID 00732 Operational and Systems Continuity Preventive
    Establish and maintain the scope of the continuity framework. CC ID 11908
    [{scope} The organization should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. § 17.1.1 Control]
    Operational and Systems Continuity Preventive
    Include network security in the scope of the continuity framework. CC ID 16327 Operational and Systems Continuity Preventive
    Explain any exclusions to the scope of the continuity framework. CC ID 12236 Operational and Systems Continuity Preventive
    Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 Operational and Systems Continuity Preventive
    Include business units in the scope of the continuity framework. CC ID 11898 Operational and Systems Continuity Preventive
    Include business functions in the scope of the continuity framework. CC ID 12699 Operational and Systems Continuity Preventive
    Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [The organization should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. § 17.1.2 Control]
    Operational and Systems Continuity Preventive
    Identify all stakeholders in the continuity plan. CC ID 13256 Operational and Systems Continuity Preventive
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 Operational and Systems Continuity Preventive
    Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 Operational and Systems Continuity Preventive
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Operational and Systems Continuity Preventive
    Include the continuity strategy in the continuity plan. CC ID 13189 Operational and Systems Continuity Preventive
    Document and use the lessons learned to update the continuity plan. CC ID 10037 Operational and Systems Continuity Preventive
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 Operational and Systems Continuity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 Operational and Systems Continuity Preventive
    Include incident management procedures in the continuity plan. CC ID 13244 Operational and Systems Continuity Preventive
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Operational and Systems Continuity Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 Operational and Systems Continuity Preventive
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Operational and Systems Continuity Preventive
    Establish, implement, and maintain the continuity procedures. CC ID 14236 Operational and Systems Continuity Corrective
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Operational and Systems Continuity Preventive
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Operational and Systems Continuity Preventive
    Include notifications to alternate facilities in the continuity plan. CC ID 13220 Operational and Systems Continuity Preventive
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 Operational and Systems Continuity Preventive
    Establish, implement, and maintain damage assessment procedures. CC ID 01267 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288 Operational and Systems Continuity Preventive
    Include procedures to restore network connectivity in the recovery plan. CC ID 16250 Operational and Systems Continuity Preventive
    Include addressing backup failures in the recovery plan. CC ID 13298 Operational and Systems Continuity Preventive
    Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 Operational and Systems Continuity Preventive
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Operational and Systems Continuity Preventive
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Operational and Systems Continuity Preventive
    Include the criteria for activation in the recovery plan. CC ID 13293 Operational and Systems Continuity Preventive
    Include escalation procedures in the recovery plan. CC ID 16248 Operational and Systems Continuity Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Operational and Systems Continuity Preventive
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Operational and Systems Continuity Detective
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 Operational and Systems Continuity Preventive
    Include the recovery plan in the continuity plan. CC ID 01377 Operational and Systems Continuity Preventive
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Operational and Systems Continuity Preventive
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 Operational and Systems Continuity Preventive
    Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018 Human Resources management Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Human Resources management Preventive
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Human Resources management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Human Resources management Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Human Resources management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Human Resources management Preventive
    Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549
    [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. § 7.3.1 Control]
    Human Resources management Preventive
    Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 Human Resources management Preventive
    Include evidence of experience in applications for professional certification. CC ID 16193 Human Resources management Preventive
    Include supporting documentation in applications for professional certification. CC ID 16195 Human Resources management Preventive
    Document all training in a training record. CC ID 01423 Human Resources management Detective
    Review the current published guidance and awareness and training programs. CC ID 01245 Human Resources management Preventive
    Establish, implement, and maintain training plans. CC ID 00828 Human Resources management Preventive
    Include portions of the visitor control program in the training plan. CC ID 13287 Human Resources management Preventive
    Establish, implement, and maintain a security awareness program. CC ID 11746 Human Resources management Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Human Resources management Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Human Resources management Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Human Resources management Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Human Resources management Preventive
    Include management commitment in the security awareness and training policy. CC ID 14049 Human Resources management Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Human Resources management Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Human Resources management Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Human Resources management Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Human Resources management Preventive
    Document security awareness requirements. CC ID 12146 Human Resources management Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Human Resources management Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Human Resources management Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Human Resources management Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Human Resources management Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Human Resources management Preventive
    Include remote access in the security awareness program. CC ID 13892 Human Resources management Preventive
    Document the goals of the security awareness program. CC ID 12145 Human Resources management Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Human Resources management Preventive
    Document the scope of the security awareness program. CC ID 12148 Human Resources management Preventive
    Establish, implement, and maintain a security awareness baseline. CC ID 12147 Human Resources management Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363
    [Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. § 7.2.1 Control]
    Human Resources management Preventive
    Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 Human Resources management Preventive
    Establish, implement, and maintain a Code of Conduct. CC ID 04897 Human Resources management Preventive
    Establish, implement, and maintain a capacity management plan. CC ID 11751 Operational management Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Preventive
    Establish, implement, and maintain an internal control framework. CC ID 00820 Operational management Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489 Operational management Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359
    [{management procedures} Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents. § 16.1.1 Control]
    Operational management Preventive
    Establish, implement, and maintain an information security program. CC ID 00812 Operational management Preventive
    Establish, implement, and maintain an information security policy. CC ID 11740
    [A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control
    A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control
    The policies for information security should be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. § 5.1.2 Control]
    Operational management Preventive
    Include business processes in the information security policy. CC ID 16326 Operational management Preventive
    Include the information security strategy in the information security policy. CC ID 16125 Operational management Preventive
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Operational management Preventive
    Include roles and responsibilities in the information security policy. CC ID 16120 Operational management Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Preventive
    Include information security objectives in the information security policy. CC ID 13493 Operational management Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Preventive
    Include notification procedures in the information security policy. CC ID 16842 Operational management Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Operational management Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Operational management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885
    [All information security responsibilities should be defined and allocated. § 6.1.1 Control
    All information security responsibilities should be defined and allocated. § 6.1.1 Control]
    Operational management Preventive
    Establish, implement, and maintain operational control procedures. CC ID 00831 Operational management Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826
    [Operating procedures should be documented and made available to all users who need them. § 12.1.1 Control]
    Operational management Preventive
    Include metrics in the standard operating procedures manual. CC ID 14988 Operational management Preventive
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Operational management Preventive
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Operational management Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Operational management Preventive
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Operational management Preventive
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Operational management Preventive
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Operational management Preventive
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Operational management Preventive
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Operational management Preventive
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Operational management Preventive
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Operational management Preventive
    Include contact details in the standard operating procedures manual. CC ID 14962 Operational management Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Operational management Corrective
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350
    [Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented. § 8.1.3 Control]
    Operational management Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Operational management Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Operational management Preventive
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Operational management Preventive
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Operational management Preventive
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Operational management Preventive
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Operational management Preventive
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Operational management Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Operational management Preventive
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Operational management Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Operational management Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Operational management Preventive
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Operational management Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355
    [Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented. § 8.1.3 Control]
    Operational management Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Preventive
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Operational management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Operational management Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Operational management Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Operational management Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Operational management Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Operational management Corrective
    Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 Operational management Preventive
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749
    [Procedures should be implemented to control the installation of software on operational systems. § 12.5.1 Control
    Rules governing the installation of software by users should be established and implemented. § 12.6.2 Control]
    Operational management Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Operational management Preventive
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Operational management Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Operational management Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Operational management Preventive
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512
    [Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. § 18.1.2 Control]
    Operational management Preventive
    Establish, implement, and maintain nondisclosure agreements. CC ID 04536
    [{confidentiality agreements} {identified and documented} Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented. § 13.2.4 Control
    {confidentiality agreements} {identified and documented} Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented. § 13.2.4 Control]
    Operational management Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Operational management Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Operational management Preventive
    Establish, implement, and maintain an asset management policy. CC ID 15219 Operational management Preventive
    Establish, implement, and maintain asset management procedures. CC ID 16748 Operational management Preventive
    Include life cycle requirements in the security management program. CC ID 16392 Operational management Preventive
    Include program objectives in the asset management program. CC ID 14413 Operational management Preventive
    Include a commitment to continual improvement in the asset management program. CC ID 14412 Operational management Preventive
    Include compliance with applicable requirements in the asset management program. CC ID 14411 Operational management Preventive
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Operational management Preventive
    Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 Operational management Preventive
    Define confidentiality controls. CC ID 01908 Operational management Preventive
    Establish, implement, and maintain the systems' availability level. CC ID 01905 Operational management Preventive
    Define integrity controls. CC ID 01909 Operational management Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906 Operational management Preventive
    Define availability controls. CC ID 01911 Operational management Preventive
    Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 Operational management Preventive
    Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 Operational management Preventive
    Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 Operational management Preventive
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 Operational management Preventive
    Assign decomposed system components the same asset classification as the originating system. CC ID 06605 Operational management Preventive
    Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689
    [Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. § 8.1.1 Control]
    Operational management Preventive
    Include all account types in the Information Technology inventory. CC ID 13311 Operational management Preventive
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Operational management Preventive
    Categorize all major applications according to the business information they process. CC ID 07182 Operational management Preventive
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Operational management Preventive
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Operational management Preventive
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Operational management Preventive
    Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 Operational management Preventive
    Establish, implement, and maintain a hardware asset inventory. CC ID 00691 Operational management Preventive
    Include network equipment in the Information Technology inventory. CC ID 00693 Operational management Preventive
    Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 Operational management Preventive
    Include software in the Information Technology inventory. CC ID 00692 Operational management Preventive
    Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 Operational management Preventive
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Operational management Preventive
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 Operational management Detective
    Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 Operational management Preventive
    Add inventoried assets to the asset register database, as necessary. CC ID 07051 Operational management Preventive
    Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 Operational management Preventive
    Record the decommission date for applicable assets in the asset inventory. CC ID 14920 Operational management Preventive
    Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 Operational management Preventive
    Record the review date for applicable assets in the asset inventory. CC ID 14919 Operational management Preventive
    Record services for applicable assets in the asset inventory. CC ID 13733 Operational management Preventive
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Operational management Preventive
    Record the software version in the asset inventory. CC ID 12196 Operational management Preventive
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Operational management Preventive
    Record the authentication system in the asset inventory. CC ID 13724 Operational management Preventive
    Tag unsupported assets in the asset inventory. CC ID 13723 Operational management Preventive
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Operational management Preventive
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Operational management Preventive
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Operational management Preventive
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Operational management Preventive
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Operational management Preventive
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Operational management Preventive
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Operational management Preventive
    Record the department associated with the asset in the asset inventory. CC ID 12084 Operational management Preventive
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Operational management Preventive
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Operational management Preventive
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Operational management Preventive
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Operational management Preventive
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Operational management Preventive
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Operational management Preventive
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Operational management Preventive
    Record the owner for applicable assets in the asset inventory. CC ID 06640
    [Assets maintained in the inventory should be owned. § 8.1.2 Control]
    Operational management Preventive
    Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 Operational management Preventive
    Record all changes to assets in the asset inventory. CC ID 12190 Operational management Preventive
    Record cloud service derived data in the asset inventory. CC ID 13007 Operational management Preventive
    Include cloud service customer data in the asset inventory. CC ID 13006 Operational management Preventive
    Establish, implement, and maintain a software accountability policy. CC ID 00868 Operational management Preventive
    Establish, implement, and maintain software asset management procedures. CC ID 00895 Operational management Preventive
    Establish, implement, and maintain software archives procedures. CC ID 00866 Operational management Preventive
    Establish, implement, and maintain software distribution procedures. CC ID 00894 Operational management Preventive
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Operational management Preventive
    Establish, implement, and maintain software license management procedures. CC ID 06639
    [Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. § 18.1.2 Control]
    Operational management Preventive
    Establish, implement, and maintain digital legacy procedures. CC ID 16524 Operational management Preventive
    Establish, implement, and maintain a system redeployment program. CC ID 06276 Operational management Preventive
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Operational management Preventive
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Operational management Preventive
    Establish, implement, and maintain a system disposal program. CC ID 14431 Operational management Preventive
    Establish, implement, and maintain disposal procedures. CC ID 16513 Operational management Preventive
    Establish, implement, and maintain asset sanitization procedures. CC ID 16511 Operational management Preventive
    Establish, implement, and maintain system destruction procedures. CC ID 16474 Operational management Preventive
    Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 Operational management Preventive
    Establish, implement, and maintain a system preventive maintenance program. CC ID 00885
    [Equipment should be correctly maintained to ensure its continued availability and integrity. § 11.2.4 Control]
    Operational management Preventive
    Establish and maintain maintenance reports. CC ID 11749 Operational management Preventive
    Establish and maintain system inspection reports. CC ID 06346 Operational management Preventive
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Operational management Preventive
    Include compliance requirements in the system maintenance policy. CC ID 14217 Operational management Preventive
    Include management commitment in the system maintenance policy. CC ID 14216 Operational management Preventive
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Operational management Preventive
    Include the scope in the system maintenance policy. CC ID 14214 Operational management Preventive
    Include the purpose in the system maintenance policy. CC ID 14187 Operational management Preventive
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Operational management Preventive
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Operational management Preventive
    Establish, implement, and maintain a technology refresh plan. CC ID 13061 Operational management Preventive
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Operational management Preventive
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Operational management Preventive
    Establish, implement, and maintain an end-of-life management process. CC ID 16540 Operational management Preventive
    Establish, implement, and maintain disposal contracts. CC ID 12199 Operational management Preventive
    Include disposal procedures in disposal contracts. CC ID 13905 Operational management Preventive
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Operational management Preventive
    Establish, implement, and maintain a data stewardship policy. CC ID 06657 Operational management Preventive
    Establish and maintain an unauthorized software list. CC ID 10601 Operational management Preventive
    Establish, implement, and maintain a customer service program. CC ID 00846 Operational management Preventive
    Include detection procedures in the Incident Management program. CC ID 00588 Operational management Preventive
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Operational management Preventive
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [Information security events should be reported through appropriate management channels as quickly as possible. § 16.1.2 Control]
    Operational management Preventive
    Establish, implement, and maintain an Incident Response program. CC ID 00579 Operational management Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237 Operational management Preventive
    Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 Operational management Preventive
    Establish, implement, and maintain incident response procedures. CC ID 01206
    [Information security incidents should be responded to in accordance with the documented procedures. § 16.1.5 Control]
    Operational management Detective
    Include references to industry best practices in the incident response procedures. CC ID 11956 Operational management Preventive
    Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 Operational management Preventive
    Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 Operational management Preventive
    Define the business scenarios that require digital forensic evidence. CC ID 08653 Operational management Preventive
    Define the circumstances for collecting digital forensic evidence. CC ID 08657
    [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]
    Operational management Preventive
    Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655
    [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]
    Operational management Preventive
    Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 Operational management Preventive
    Establish, implement, and maintain a performance management standard. CC ID 01615 Operational management Preventive
    Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619
    [The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. § 12.1.3 Control]
    Operational management Preventive
    Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 Operational management Preventive
    Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023
    [Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. § 13.1.2 Control]
    Operational management Preventive
    Include the management requirements for network services in the Service Level Agreement. CC ID 12025
    [Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. § 13.1.2 Control]
    Operational management Preventive
    Include the service levels for network services in the Service Level Agreement. CC ID 12024
    [Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. § 13.1.2 Control]
    Operational management Preventive
    Establish, implement, and maintain a change control program. CC ID 00886
    [Changes to the organization, business processes, information processing facilities and systems that affect information security should be controlled. § 12.1.2 Control
    Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures. § 14.2.2 Control]
    Operational management Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243 Operational management Preventive
    Include version control in the change control program. CC ID 13119 Operational management Preventive
    Include service design and transition in the change control program. CC ID 13920 Operational management Preventive
    Establish, implement, and maintain a back-out plan. CC ID 13623 Operational management Preventive
    Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 Operational management Preventive
    Approve back-out plans, as necessary. CC ID 13627 Operational management Corrective
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Operational management Preventive
    Establish and maintain a change request approver list. CC ID 06795 Operational management Preventive
    Document all change requests in change request forms. CC ID 06794 Operational management Preventive
    Establish, implement, and maintain emergency change procedures. CC ID 00890 Operational management Preventive
    Log emergency changes after they have been performed. CC ID 12733 Operational management Preventive
    Provide audit trails for all approved changes. CC ID 13120 Operational management Preventive
    Document the sources of all software updates. CC ID 13316 Operational management Preventive
    Establish, implement, and maintain a patch management policy. CC ID 16432 Operational management Preventive
    Establish, implement, and maintain patch management procedures. CC ID 15224 Operational management Preventive
    Establish, implement, and maintain a patch log. CC ID 01642 Operational management Preventive
    Establish, implement, and maintain a software release policy. CC ID 00893 Operational management Preventive
    Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 Operational management Detective
    Establish, implement, and maintain a change acceptance testing log. CC ID 06392 Operational management Corrective
    Update associated documentation after the system configuration has been changed. CC ID 00891 Operational management Preventive
    Document approved configuration deviations. CC ID 08711 Operational management Corrective
    Document the organization's local environments. CC ID 06726
    [To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. § 5.1 Objective
    To establish a management framework to initiate and control the implementation and operation of information security within the organization. § 6.1 Objective
    To ensure the security of teleworking and use of mobile devices. § 6.2 Objective
    To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. § 7.1 Objective
    To ensure that employees and contractors are aware of and fulfill their information security responsibilities. § 7.2 Objective
    To protect the organization’s interests as part of the process of changing or terminating employment. § 7.3 Objective
    To identify organizational assets and define appropriate protection responsibilities. § 8.1 Objective
    To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. § 8.3 Objective
    To limit access to information and information processing facilities. § 9.1 Objective
    To ensure authorized user access and to prevent unauthorized access to systems and services. § 9.2 Objective
    To make users accountable for safeguarding their authentication information. § 9.3 Objective
    To prevent unauthorized access to systems and applications. § 9.4 Objective
    To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. § 10.1 Objective
    To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. § 11.1 Objective
    To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. § 11.2 Objective
    To ensure correct and secure operations of information processing facilities. § 12.1 Objective
    To ensure that information and information processing facilities are protected against malware. § 12.2 Objective
    To protect against loss of data. § 12.3 Objective
    To record events and generate evidence. § 12.4 Objective
    To ensure the integrity of operational systems. § 12.5 Objective
    To prevent exploitation of technical vulnerabilities. § 12.6 Objective
    To minimise the impact of audit activities on operational systems. § 12.7 Objective
    To ensure the protection of information in networks and its supporting information processing facilities. § 13.1 Objective
    To maintain the security of information transferred within an organization and with any external entity. § 13.2 Objective
    To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. § 14.1 Objective
    To ensure that information security is designed and implemented within the development lifecycle of information systems. § 14.2 Objective
    To ensure protection of the organization’s assets that is accessible by suppliers. § 15.1 Objective
    To maintain an agreed level of information security and service delivery in line with supplier agreements. § 15.2 Objective
    To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. § 16.1 Objective
    Information security continuity should be embedded in the organization’s business continuity management systems. § 17.1 Objective
    To ensure availability of information processing facilities. § 17.2 Objective
    To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. § 18.1 Objective
    To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. § 18.2 Objective
    To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. § 8.2 Objective
    To ensure the protection of data used for testing. § 14.3 Objective]
    Operational management Preventive
    Establish, implement, and maintain local environment security profiles. CC ID 07037 Operational management Preventive
    Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 Operational management Preventive
    Include security requirements in the local environment security profile. CC ID 15717 Operational management Preventive
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 Operational management Preventive
    Include the technology used in the local environment in the local environment security profile. CC ID 07040 Operational management Preventive
    Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 Operational management Preventive
    Include facility information for the local environment in the local environment security profile. CC ID 07042 Operational management Preventive
    Include facility access information for the local environment in the local environment security profile. CC ID 11773 Operational management Preventive
    Update the local environment security profile, as necessary. CC ID 07043 Operational management Preventive
    Establish, implement, and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Preventive
    Establish, implement, and maintain an authenticator standard. CC ID 01702 System hardening through configuration management Preventive
    Establish, implement, and maintain an authenticator management system. CC ID 12031
    [The allocation of secret authentication information should be controlled through a formal management process. § 9.2.4 Control
    {interactive system} Password management systems should be interactive and should ensure quality passwords. § 9.4.3 Control]
    System hardening through configuration management Preventive
    Establish, implement, and maintain authenticator procedures. CC ID 12002
    [Users should be required to follow the organization’s practices in the use of secret authentication information. § 9.3.1 Control]
    System hardening through configuration management Preventive
    Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717 System hardening through configuration management Preventive
    Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718 System hardening through configuration management Preventive
    Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719 System hardening through configuration management Preventive
    Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720 System hardening through configuration management Preventive
    Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722 System hardening through configuration management Preventive
    Configure the "password reuse" setting to organizational standards. CC ID 08724 System hardening through configuration management Preventive
    Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721 System hardening through configuration management Preventive
    Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723 System hardening through configuration management Preventive
    Establish, implement, and maintain records management policies. CC ID 00903 Records management Preventive
    Establish, implement, and maintain a record classification scheme. CC ID 00914 Records management Preventive
    Establish, implement, and maintain a records authentication system. CC ID 11648
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Records management Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Records management Detective
    Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Records management Preventive
    Establish, implement, and maintain records management procedures. CC ID 11619 Records management Preventive
    Establish, implement, and maintain document security requirements for the output of records. CC ID 11656
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Records management Preventive
    Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 Records management Preventive
    Establish, implement, and maintain electronic storage media management procedures. CC ID 00931
    [Procedures should be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. § 8.3.1 Control]
    Records management Preventive
    Establish, implement, and maintain security label procedures. CC ID 06747
    [An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization. § 8.2.2 Control]
    Records management Preventive
    Establish, implement, and maintain restricted material identification procedures. CC ID 01889 Records management Preventive
    Conspicuously locate the restricted record's overall classification. CC ID 01890 Records management Preventive
    Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 Records management Preventive
    Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 Records management Preventive
    Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 Records management Preventive
    Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 Records management Preventive
    Establish the minimum originator requirements for security labels. CC ID 06579 Records management Preventive
    Establish the minimum intermediate system requirements for security labels. CC ID 06581 Records management Preventive
    Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 Records management Preventive
    Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 Records management Preventive
    Establish, implement, and maintain a records lifecycle management program. CC ID 00951 Records management Preventive
    Establish, implement, and maintain an information preservation policy. CC ID 16483 Records management Preventive
    Establish, implement, and maintain information preservation procedures. CC ID 06277 Records management Preventive
    Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 Records management Preventive
    Provide audit trails for all pertinent records. CC ID 00372 Records management Detective
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 Records management Preventive
    Include the date and time in the removable storage media log. CC ID 12318 Records management Preventive
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 Records management Preventive
    Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Records management Preventive
    Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Records management Preventive
    Include the sender's name in the removable storage media log. CC ID 12752 Records management Preventive
    Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Records management Preventive
    Include the reason for transfer in the removable storage media log. CC ID 12316 Records management Preventive
    Document all actions taken when downgrading electronic storage media. CC ID 10622 Records management Preventive
    Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057
    [{system development} Rules for the development of software and systems should be established and applied to developments within the organization. § 14.2.1 Control]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain a security controls definition document. CC ID 01080 Systems design, build, and implementation Preventive
    Include identified risks and legal requirements in the security controls definition document. CC ID 11743 Systems design, build, and implementation Preventive
    Include naming conventions in system design guidelines. CC ID 13656 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a source data collection design specification. CC ID 01070 Systems design, build, and implementation Preventive
    Establish and maintain an input requirements definition document. CC ID 01071 Systems design, build, and implementation Preventive
    Include continuous protection of systems or system components in the security design principles. CC ID 14748 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a system use training plan. CC ID 01089 Systems design, build, and implementation Preventive
    Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963 Systems design, build, and implementation Preventive
    Include the physical design characteristics in the system design specification. CC ID 06927 Systems design, build, and implementation Preventive
    Specify appropriate tools for the system development project. CC ID 06830 Systems design, build, and implementation Preventive
    Establish, implement, and maintain outsourced development procedures. CC ID 01141 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a system design specification. CC ID 04557 Systems design, build, and implementation Preventive
    Document the system architecture in the system design specification. CC ID 12287 Systems design, build, and implementation Preventive
    Include hardware requirements in the system design specification. CC ID 08666 Systems design, build, and implementation Preventive
    Include communication links in the system design specification. CC ID 08665 Systems design, build, and implementation Preventive
    Include a description of each module and asset in the system design specification. CC ID 11734 Systems design, build, and implementation Preventive
    Include supporting software requirements in the system design specification. CC ID 08664 Systems design, build, and implementation Preventive
    Establish and maintain Application Programming Interface documentation. CC ID 12203 Systems design, build, and implementation Preventive
    Include configuration options in the Application Programming Interface documentation. CC ID 12205 Systems design, build, and implementation Preventive
    Include the logical data flows and process steps in the system design specification. CC ID 08668 Systems design, build, and implementation Preventive
    Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 Systems design, build, and implementation Preventive
    Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 Systems design, build, and implementation Preventive
    Establish, implement, and maintain payment card architectural designs. CC ID 16132 Systems design, build, and implementation Preventive
    Establish, implement, and maintain coding guidelines. CC ID 08661 Systems design, build, and implementation Preventive
    Establish, implement, and maintain human interface guidelines. CC ID 08662 Systems design, build, and implementation Preventive
    Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 Systems design, build, and implementation Preventive
    Include functionality for managing user data in human interface guidelines. CC ID 14928 Systems design, build, and implementation Preventive
    Establish and maintain User Interface documentation. CC ID 12204 Systems design, build, and implementation Preventive
    Include system messages in human interface guidelines. CC ID 08663 Systems design, build, and implementation Preventive
    Include measurable system performance requirements in the system design specification. CC ID 08667 Systems design, build, and implementation Preventive
    Include the data structure in the system design specification. CC ID 08669 Systems design, build, and implementation Preventive
    Include the input and output variables in the system design specification. CC ID 08670 Systems design, build, and implementation Preventive
    Include data encryption information in the system design specification. CC ID 12209 Systems design, build, and implementation Preventive
    Include records disposition information in the system design specification. CC ID 12208 Systems design, build, and implementation Preventive
    Include how data is managed in each module in the system design specification. CC ID 12207 Systems design, build, and implementation Preventive
    Include identifying restricted data in the system design specification. CC ID 12206 Systems design, build, and implementation Preventive
    Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 Systems design, build, and implementation Preventive
    Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247 Systems design, build, and implementation Preventive
    Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 Systems design, build, and implementation Preventive
    Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 Systems design, build, and implementation Preventive
    Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 Systems design, build, and implementation Preventive
    Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 Systems design, build, and implementation Preventive
    Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 Systems design, build, and implementation Preventive
    Establish, implement, and maintain session security coding standards. CC ID 04584 Systems design, build, and implementation Preventive
    Establish and maintain a cryptographic architecture document. CC ID 12476 Systems design, build, and implementation Preventive
    Include the algorithms used in the cryptographic architecture document. CC ID 12483 Systems design, build, and implementation Preventive
    Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 Systems design, build, and implementation Preventive
    Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 Systems design, build, and implementation Preventive
    Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 Systems design, build, and implementation Preventive
    Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 Systems design, build, and implementation Preventive
    Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 Systems design, build, and implementation Preventive
    Include the protocols used in the cryptographic architecture document. CC ID 12485 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a system implementation representation document. CC ID 04558 Systems design, build, and implementation Preventive
    Include the source code in the implementation representation document. CC ID 13089 Systems design, build, and implementation Preventive
    Include the hardware schematics in the implementation representation document. CC ID 13098 Systems design, build, and implementation Preventive
    Review and update the security architecture, as necessary. CC ID 14277 Systems design, build, and implementation Corrective
    Review and update the privacy architecture, as necessary. CC ID 14674 Systems design, build, and implementation Preventive
    Include the Evaluation Assurance Levels in the system design specification. CC ID 04561 Systems design, build, and implementation Preventive
    Establish and maintain system security documentation. CC ID 06271 Systems design, build, and implementation Preventive
    Document the procedures and environment used to create the system or software. CC ID 06609
    [{system development} Rules for the development of software and systems should be established and applied to developments within the organization. § 14.2.1 Control]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain a system testing policy. CC ID 01102 Systems design, build, and implementation Preventive
    Establish, implement, and maintain system testing procedures. CC ID 11744 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850
    [Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable. § 18.1.4 Control
    Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable. § 18.1.4 Control]
    Privacy protection for information and data Preventive
    Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 Privacy protection for information and data Preventive
    Establish and maintain privacy notices, as necessary. CC ID 13443 Privacy protection for information and data Preventive
    Include the purpose of the privacy notice in the privacy notice. CC ID 13526 Privacy protection for information and data Preventive
    Include the processing purpose in the privacy notice. CC ID 16543 Privacy protection for information and data Preventive
    Include contact information in the privacy notice. CC ID 14432 Privacy protection for information and data Preventive
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 Privacy protection for information and data Preventive
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Privacy protection for information and data Preventive
    Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 Privacy protection for information and data Preventive
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 Privacy protection for information and data Preventive
    Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 Privacy protection for information and data Preventive
    Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 Privacy protection for information and data Preventive
    Include the personal data collection categories in the privacy notice. CC ID 13457 Privacy protection for information and data Preventive
    Include disclosure exceptions in the privacy notice. CC ID 13447 Privacy protection for information and data Preventive
    Include the types of personal data disclosed in the privacy notice. CC ID 13446 Privacy protection for information and data Preventive
    Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 Privacy protection for information and data Preventive
    Specify the time frame that notice will be given. CC ID 00385 Privacy protection for information and data Preventive
    Include the information about the appeal process in the privacy notice. CC ID 15312 Privacy protection for information and data Preventive
    Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 Privacy protection for information and data Preventive
    Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 Privacy protection for information and data Preventive
    Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 Privacy protection for information and data Corrective
    Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 Privacy protection for information and data Preventive
    Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 Privacy protection for information and data Preventive
    Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 Privacy protection for information and data Preventive
    Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 Privacy protection for information and data Preventive
    Establish, implement, and maintain opt-out notices. CC ID 13448 Privacy protection for information and data Preventive
    Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 Privacy protection for information and data Preventive
    Include the opt out method for data subjects in the opt-out notice. CC ID 13467 Privacy protection for information and data Preventive
    Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 Privacy protection for information and data Preventive
    Explain the right to opt out in the opt-out notice. CC ID 13462 Privacy protection for information and data Preventive
    Include the organization's right to share personal data in the opt-out notice. CC ID 13450 Privacy protection for information and data Preventive
    Provide the data subject with a notice of participation procedures. CC ID 06241 Privacy protection for information and data Preventive
    Publish a description of processing activities in an official register. CC ID 00379 Privacy protection for information and data Preventive
    Establish and maintain a records request manual. CC ID 00381 Privacy protection for information and data Preventive
    Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 Privacy protection for information and data Preventive
    Define what is included in registration notices. CC ID 00386 Privacy protection for information and data Preventive
    Include the verification method in the registration notice. CC ID 16798 Privacy protection for information and data Preventive
    Include the statutory authority in the registration notice. CC ID 16799 Privacy protection for information and data Preventive
    Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 Privacy protection for information and data Preventive
    Include a purpose specification description in the registration notice. CC ID 00388 Privacy protection for information and data Preventive
    Include information about the dispute resolution body in the registration notice. CC ID 16800 Privacy protection for information and data Preventive
    Include the data subject category being processed in the registration notice. CC ID 00389 Privacy protection for information and data Preventive
    Include the time period for data processing in the registration notice. CC ID 00390 Privacy protection for information and data Preventive
    Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 Privacy protection for information and data Preventive
    Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 Privacy protection for information and data Preventive
    Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 Privacy protection for information and data Preventive
    Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 Privacy protection for information and data Preventive
    Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 Privacy protection for information and data Preventive
    Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 Privacy protection for information and data Preventive
    Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 Privacy protection for information and data Preventive
    Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 Privacy protection for information and data Preventive
    Specify the purpose of the disclosure in the written consent. CC ID 13001 Privacy protection for information and data Preventive
    Specify which education records may be disclosed in the written consent. CC ID 13000 Privacy protection for information and data Preventive
    Document the conditions when consent is not required to disclose educational data. CC ID 00225 Privacy protection for information and data Preventive
    Record the health and safety threats of students when disclosing personal data. CC ID 12997 Privacy protection for information and data Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Privacy protection for information and data Preventive
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 Privacy protection for information and data Preventive
    Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 Privacy protection for information and data Preventive
    Establish and maintain a disclosure accounting record. CC ID 13022 Privacy protection for information and data Preventive
    Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 Privacy protection for information and data Preventive
    Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 Privacy protection for information and data Preventive
    Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 Privacy protection for information and data Preventive
    Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 Privacy protection for information and data Preventive
    Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 Privacy protection for information and data Preventive
    Include the disclosure date in the disclosure accounting record. CC ID 07133 Privacy protection for information and data Preventive
    Include the disclosure recipient in the disclosure accounting record. CC ID 07134 Privacy protection for information and data Preventive
    Include the disclosure purpose in the disclosure accounting record. CC ID 07135 Privacy protection for information and data Preventive
    Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 Privacy protection for information and data Preventive
    Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 Privacy protection for information and data Preventive
    Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 Privacy protection for information and data Preventive
    Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 Privacy protection for information and data Preventive
    Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 Privacy protection for information and data Preventive
    Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 Privacy protection for information and data Preventive
    Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 Privacy protection for information and data Preventive
    Make telephone directory information available to the public. CC ID 08698 Privacy protection for information and data Preventive
    Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 Privacy protection for information and data Preventive
    Establish, implement, and maintain a privacy policy. CC ID 06281 Privacy protection for information and data Preventive
    Include the data subject's rights in the privacy policy. CC ID 16355 Privacy protection for information and data Preventive
    Establish, implement, and maintain a privacy policy model document. CC ID 14720 Privacy protection for information and data Preventive
    Document privacy policies in clearly written and easily understood language. CC ID 00376 Privacy protection for information and data Detective
    Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 Privacy protection for information and data Preventive
    Write privacy notices in the official languages required by law. CC ID 16529 Privacy protection for information and data Preventive
    Define what is included in the privacy policy. CC ID 00404 Privacy protection for information and data Preventive
    Define the information being collected in the privacy policy. CC ID 13115 Privacy protection for information and data Preventive
    Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 Privacy protection for information and data Preventive
    Include the means by which information is collected in the privacy policy. CC ID 13114 Privacy protection for information and data Preventive
    Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 Privacy protection for information and data Corrective
    Include roles and responsibilities in the privacy policy. CC ID 14669 Privacy protection for information and data Preventive
    Include management commitment in the privacy policy. CC ID 14668 Privacy protection for information and data Preventive
    Include coordination amongst entities in the privacy policy. CC ID 14667 Privacy protection for information and data Preventive
    Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 Privacy protection for information and data Preventive
    Include compliance requirements in the privacy policy. CC ID 14666 Privacy protection for information and data Preventive
    Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 Privacy protection for information and data Preventive
    Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 Privacy protection for information and data Corrective
    Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 Privacy protection for information and data Preventive
    Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 Privacy protection for information and data Preventive
    Include a complaint form in the privacy policy. CC ID 12364 Privacy protection for information and data Preventive
    Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 Privacy protection for information and data Preventive
    Include the processing purpose in the privacy policy. CC ID 00406 Privacy protection for information and data Preventive
    Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 Privacy protection for information and data Preventive
    Include the data subject categories being processed in the privacy policy. CC ID 00407 Privacy protection for information and data Preventive
    Define the retention period for collected information in the privacy policy. CC ID 13116 Privacy protection for information and data Preventive
    Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 Privacy protection for information and data Preventive
    Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 Privacy protection for information and data Preventive
    Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 Privacy protection for information and data Preventive
    Include instructions on how to opt-out in the privacy policy. CC ID 00411 Privacy protection for information and data Preventive
    Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 Privacy protection for information and data Preventive
    Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 Privacy protection for information and data Preventive
    Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 Privacy protection for information and data Preventive
    Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 Privacy protection for information and data Preventive
    Post the privacy policy in an easily seen location. CC ID 00401 Privacy protection for information and data Preventive
    Define who will receive the privacy policy. CC ID 00402 Privacy protection for information and data Preventive
    Establish, implement, and maintain privacy procedures. CC ID 14665 Privacy protection for information and data Preventive
    Establish, implement, and maintain a privacy plan. CC ID 14672 Privacy protection for information and data Preventive
    Include privacy requirements in the privacy plan. CC ID 14699 Privacy protection for information and data Preventive
    Include the information types in the privacy plan. CC ID 14695 Privacy protection for information and data Preventive
    Include threats in the privacy plan. CC ID 14694 Privacy protection for information and data Preventive
    Include roles and responsibilities in the privacy plan. CC ID 14702 Privacy protection for information and data Preventive
    Include a description of the operational context in the privacy plan. CC ID 14692 Privacy protection for information and data Preventive
    Include risk assessment results in the privacy plan. CC ID 14701 Privacy protection for information and data Preventive
    Include the security categorizations and rationale in the privacy plan. CC ID 14690 Privacy protection for information and data Preventive
    Include security controls in the privacy plan. CC ID 14681 Privacy protection for information and data Preventive
    Include a description of the operational environment in the privacy plan. CC ID 14679 Privacy protection for information and data Preventive
    Include network diagrams in the privacy plan. CC ID 14678 Privacy protection for information and data Preventive
    Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 Privacy protection for information and data Preventive
    Establish, implement, and maintain a privacy report. CC ID 14754 Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Privacy protection for information and data Preventive
    Establish, implement, and maintain data request procedures. CC ID 16546 Privacy protection for information and data Preventive
    Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 Privacy protection for information and data Preventive
    Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 Privacy protection for information and data Preventive
    Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 Privacy protection for information and data Preventive
    Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 Privacy protection for information and data Preventive
    Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 Privacy protection for information and data Preventive
    Include the identity of the data subject in the disclosure authorization form. CC ID 13436 Privacy protection for information and data Preventive
    Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 Privacy protection for information and data Preventive
    Include how personal data will be used in the disclosure authorization form. CC ID 13441 Privacy protection for information and data Preventive
    Include agreement termination information in the disclosure authorization form. CC ID 13437 Privacy protection for information and data Preventive
    Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Preventive
    Establish, implement, and maintain approval applications. CC ID 16778 Privacy protection for information and data Preventive
    Include required information in the approval application. CC ID 16628 Privacy protection for information and data Preventive
    Submit a safe harbor self-certification letter. CC ID 06871 Privacy protection for information and data Preventive
    Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 Privacy protection for information and data Preventive
    Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 Privacy protection for information and data Preventive
    Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 Privacy protection for information and data Preventive
    Include data subject's rights in the Binding Corporate Rules. CC ID 12596 Privacy protection for information and data Preventive
    Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 Privacy protection for information and data Preventive
    Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 Privacy protection for information and data Preventive
    Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 Privacy protection for information and data Preventive
    Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 Privacy protection for information and data Preventive
    Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 Privacy protection for information and data Preventive
    Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 Privacy protection for information and data Preventive
    Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 Privacy protection for information and data Preventive
    Include complaint procedures in the Binding Corporate Rules. CC ID 12613 Privacy protection for information and data Preventive
    Include the data transfers in the Binding Corporate Rules. CC ID 12590 Privacy protection for information and data Preventive
    Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 Privacy protection for information and data Preventive
    Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 Privacy protection for information and data Preventive
    Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 Privacy protection for information and data Preventive
    Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 Privacy protection for information and data Preventive
    Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 Privacy protection for information and data Preventive
    Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 Privacy protection for information and data Preventive
    Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 Privacy protection for information and data Preventive
    Establish, implement, and maintain Data Processing Contracts. CC ID 12650 Privacy protection for information and data Preventive
    Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 Privacy protection for information and data Preventive
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 Privacy protection for information and data Preventive
    Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Privacy protection for information and data Preventive
    Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 Privacy protection for information and data Preventive
    Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 Privacy protection for information and data Preventive
    Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 Privacy protection for information and data Preventive
    Include the duration of processing in the Data Processing Contract. CC ID 14935 Privacy protection for information and data Preventive
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Privacy protection for information and data Preventive
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 Privacy protection for information and data Preventive
    Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 Privacy protection for information and data Preventive
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 Privacy protection for information and data Preventive
    Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 Privacy protection for information and data Preventive
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Privacy protection for information and data Preventive
    Document the law that requires restricted data to be collected. CC ID 00103 Privacy protection for information and data Preventive
    Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 Privacy protection for information and data Preventive
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Privacy protection for information and data Preventive
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 Privacy protection for information and data Preventive
    Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 Privacy protection for information and data Preventive
    Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 Privacy protection for information and data Preventive
    Establish, implement, and maintain data access procedures. CC ID 00414 Privacy protection for information and data Preventive
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Preventive
    Define what is to be included in a data access request. CC ID 08699 Privacy protection for information and data Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Preventive
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Preventive
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Preventive
    Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 Privacy protection for information and data Preventive
    Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 Privacy protection for information and data Preventive
    Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 Privacy protection for information and data Preventive
    Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 Privacy protection for information and data Preventive
    Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 Privacy protection for information and data Preventive
    Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 Privacy protection for information and data Preventive
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Privacy protection for information and data Preventive
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Privacy protection for information and data Preventive
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Privacy protection for information and data Preventive
    Define and implement valid authorization control requirements. CC ID 06258 Privacy protection for information and data Preventive
    Define security breach notification requirement exceptions. CC ID 04797 Privacy protection for information and data Preventive
    Define what restricted data is not required to be disclosed absent consent. CC ID 00134 Privacy protection for information and data Preventive
    Define the exceptions to disclosure absent consent. CC ID 00135 Privacy protection for information and data Preventive
    Define opt-out exceptions for disclosing restricted data. CC ID 00159 Privacy protection for information and data Preventive
    Define how a data subject may give consent. CC ID 00160 Privacy protection for information and data Preventive
    Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 Privacy protection for information and data Detective
    Establish, implement, and maintain restricted data retention procedures. CC ID 00167 Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Privacy protection for information and data Preventive
    Document the redisclosing restricted data exceptions. CC ID 00170 Privacy protection for information and data Preventive
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Privacy protection for information and data Preventive
    Establish, implement, and maintain data disclosure procedures. CC ID 00133 Privacy protection for information and data Preventive
    Establish, implement, and maintain data request denial procedures. CC ID 00434 Privacy protection for information and data Preventive
    Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 Privacy protection for information and data Preventive
    Include cookie management in the privacy framework. CC ID 13809 Privacy protection for information and data Preventive
    Establish, implement, and maintain cookie management procedures. CC ID 13810 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Privacy protection for information and data Preventive
    Post the collection purpose. CC ID 00101 Privacy protection for information and data Preventive
    Document each individual's personal data collection consent preferences. CC ID 06945 Privacy protection for information and data Preventive
    Establish and maintain a personal data definition. CC ID 00028 Privacy protection for information and data Preventive
    Include the number of children in the personal data definition. CC ID 13759 Privacy protection for information and data Preventive
    Include the individual's religion in the personal data definition. CC ID 13765 Privacy protection for information and data Preventive
    Include an individual's political party affiliation in the personal data definition. CC ID 13764 Privacy protection for information and data Preventive
    Include an individual's license plate number in the personal data definition. CC ID 13763 Privacy protection for information and data Preventive
    Include an individual's account balances in the personal data definition. CC ID 13770 Privacy protection for information and data Preventive
    Include an individual's logon credentials in the personal data definition. CC ID 13771 Privacy protection for information and data Preventive
    Include an individual's military identification number in the personal data definition. CC ID 13083 Privacy protection for information and data Preventive
    Refrain from including publicly available information in the personal data definition. CC ID 13084 Privacy protection for information and data Preventive
    Notify parents or legal representatives of what information is collected from children. CC ID 00040 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Privacy protection for information and data Preventive
    Provide the data subject with information about the data controller during the collection process. CC ID 00023 Privacy protection for information and data Preventive
    Provide the data subject with the data collector's name and contact information. CC ID 00024 Privacy protection for information and data Preventive
    Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 Privacy protection for information and data Preventive
    Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 Privacy protection for information and data Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Preventive
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 Privacy protection for information and data Preventive
    Establish, implement, and maintain suspicious document procedures. CC ID 04852 Privacy protection for information and data Detective
    Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 Privacy protection for information and data Preventive
    Establish, implement, and maintain call metadata controls. CC ID 04790 Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling procedures. CC ID 11756 Privacy protection for information and data Preventive
    Define personal data that falls under breach notification rules. CC ID 00800 Privacy protection for information and data Preventive
    Define an out of scope privacy breach. CC ID 04677 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data transfer program. CC ID 00307 Privacy protection for information and data Preventive
    Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 Privacy protection for information and data Preventive
    Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 Privacy protection for information and data Preventive
    Document transfer disagreements by the data subject in writing. CC ID 00348 Privacy protection for information and data Preventive
    Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 Privacy protection for information and data Preventive
    Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 Privacy protection for information and data Preventive
    Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 Privacy protection for information and data Preventive
    Establish, implement, and maintain a privacy impact assessment. CC ID 13712 Privacy protection for information and data Preventive
    Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 Privacy protection for information and data Preventive
    Include how to grant consent in the privacy impact assessment. CC ID 15519 Privacy protection for information and data Preventive
    Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 Privacy protection for information and data Preventive
    Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 Privacy protection for information and data Preventive
    Include data handling procedures in the privacy impact assessment. CC ID 15516 Privacy protection for information and data Preventive
    Include the intended use of information in the privacy impact assessment. CC ID 15515 Privacy protection for information and data Preventive
    Include the reason information is being collected in the privacy impact assessment. CC ID 15514 Privacy protection for information and data Preventive
    File privacy rights violation complaints in writing. CC ID 00477 Privacy protection for information and data Corrective
    Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 Privacy protection for information and data Corrective
    Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 Privacy protection for information and data Preventive
    Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 Privacy protection for information and data Preventive
    Include potential remedies in the privacy dispute resolution program. CC ID 12531 Privacy protection for information and data Preventive
    Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 Privacy protection for information and data Preventive
    Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 Privacy protection for information and data Preventive
    Document unresolved challenges. CC ID 13568 Privacy protection for information and data Preventive
    Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 Privacy protection for information and data Preventive
    Document disagreements as to whether personal data is complete and accurate. CC ID 06952 Privacy protection for information and data Preventive
    Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 Privacy protection for information and data Preventive
    Include the allegations against the organization in the notice of investigation. CC ID 13031 Privacy protection for information and data Preventive
    Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 Privacy protection for information and data Corrective
    Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 Privacy protection for information and data Detective
    Define the organization's liability based on the applicable law. CC ID 00504 Privacy protection for information and data Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Privacy protection for information and data Preventive
    Define the appeal process based on the applicable law. CC ID 00506 Privacy protection for information and data Preventive
    Provide notice of proposed penalties. CC ID 06216 Privacy protection for information and data Preventive
    Establish, implement, and maintain a supply chain management program. CC ID 11742 Third Party and supply chain oversight Preventive
    Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 Third Party and supply chain oversight Preventive
    Include a description of the product or service to be provided in third party contracts. CC ID 06509 Third Party and supply chain oversight Preventive
    Include a description of the products or services fees in third party contracts. CC ID 10018 Third Party and supply chain oversight Preventive
    Include which parties are responsible for which fees in third party contracts. CC ID 10019 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543
    [{information flow agreement} {establish} Agreements should address the secure transfer of business information between the organization and external parties. § 13.2.2 Control]
    Third Party and supply chain oversight Preventive
    Include the type of information being transmitted in the information flow agreement. CC ID 14245 Third Party and supply chain oversight Preventive
    Include the security requirements in the information flow agreement. CC ID 14244 Third Party and supply chain oversight Preventive
    Include the interface characteristics in the information flow agreement. CC ID 14240 Third Party and supply chain oversight Preventive
    Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 Third Party and supply chain oversight Preventive
    Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 Third Party and supply chain oversight Preventive
    Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 Third Party and supply chain oversight Preventive
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Third Party and supply chain oversight Preventive
    Include text about data ownership in third party contracts. CC ID 06502 Third Party and supply chain oversight Preventive
    Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 Third Party and supply chain oversight Preventive
    Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 Third Party and supply chain oversight Preventive
    Include the contract duration in third party contracts. CC ID 16221 Third Party and supply chain oversight Preventive
    Include roles and responsibilities in third party contracts. CC ID 13487 Third Party and supply chain oversight Preventive
    Include cryptographic keys in third party contracts. CC ID 16179 Third Party and supply chain oversight Preventive
    Include bankruptcy provisions in third party contracts. CC ID 16519 Third Party and supply chain oversight Preventive
    Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 Third Party and supply chain oversight Preventive
    Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506
    [Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented. § 15.1.1 Control]
    Third Party and supply chain oversight Preventive
    Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 Third Party and supply chain oversight Preventive
    Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 Third Party and supply chain oversight Preventive
    Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 Third Party and supply chain oversight Preventive
    Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 Third Party and supply chain oversight Preventive
    Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 Third Party and supply chain oversight Preventive
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 Third Party and supply chain oversight Preventive
    Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 Third Party and supply chain oversight Preventive
    Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 Third Party and supply chain oversight Preventive
    Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 Third Party and supply chain oversight Preventive
    Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 Third Party and supply chain oversight Preventive
    Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 Third Party and supply chain oversight Preventive
    Include a reporting structure in third party contracts. CC ID 06532 Third Party and supply chain oversight Preventive
    Include points of contact in third party contracts. CC ID 12355 Third Party and supply chain oversight Preventive
    Include financial reporting in third party contracts, as necessary. CC ID 13573 Third Party and supply chain oversight Preventive
    Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 Third Party and supply chain oversight Preventive
    Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 Third Party and supply chain oversight Preventive
    Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 Third Party and supply chain oversight Preventive
    Include an indemnification and liability clause in third party contracts. CC ID 06517 Third Party and supply chain oversight Preventive
    Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 Third Party and supply chain oversight Preventive
    Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 Third Party and supply chain oversight Preventive
    Include text regarding foreign-based third parties in third party contracts. CC ID 06722 Third Party and supply chain oversight Preventive
    Include change control clauses in third party contracts, as necessary. CC ID 06523
    [Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. § 15.2.2 Control]
    Third Party and supply chain oversight Preventive
    Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 Third Party and supply chain oversight Preventive
    Include triggers for renegotiating the contract in third party contracts. CC ID 06527 Third Party and supply chain oversight Preventive
    Include change control notification processes in third party contracts. CC ID 06524 Third Party and supply chain oversight Preventive
    Include cost structure changes in third party contracts. CC ID 10021 Third Party and supply chain oversight Preventive
    Include a choice of venue clause in third party contracts. CC ID 06520 Third Party and supply chain oversight Preventive
    Include a dispute resolution clause in third party contracts. CC ID 06519 Third Party and supply chain oversight Preventive
    Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 Third Party and supply chain oversight Preventive
    Include a termination provision clause in third party contracts. CC ID 01367 Third Party and supply chain oversight Detective
    Include early termination contingency plans in the third party contracts. CC ID 06526 Third Party and supply chain oversight Preventive
    Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 Third Party and supply chain oversight Preventive
    Include termination costs in third party contracts. CC ID 10023 Third Party and supply chain oversight Preventive
    Include text about obtaining adequate insurance in third party contracts. CC ID 06880 Third Party and supply chain oversight Preventive
    Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 Third Party and supply chain oversight Preventive
    Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 Third Party and supply chain oversight Preventive
    Include end-of-life information in third party contracts. CC ID 15265 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 Third Party and supply chain oversight Preventive
    Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 Third Party and supply chain oversight Preventive
    Include requirements for alternate processing facilities in third party contracts. CC ID 13059 Third Party and supply chain oversight Preventive
    Include risk management procedures in the supply chain management policy. CC ID 08811 Third Party and supply chain oversight Preventive
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029
    [Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented. § 15.1.1 Control
    Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. § 15.1.3 Control]
    Third Party and supply chain oversight Preventive
    Request attestation of compliance from third parties. CC ID 12067 Third Party and supply chain oversight Detective
  • Human Resources Management
    44
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Monitoring and measurement Detective
    Define roles for information systems. CC ID 12454 Technical security Preventive
    Define access needs for each role assigned to an information system. CC ID 12455 Technical security Preventive
    Change authenticators after personnel status changes. CC ID 12284 Technical security Preventive
    Assign roles and responsibilities for administering user account management. CC ID 11900 Technical security Preventive
    Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 Technical security Preventive
    Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 Physical and environmental protection Preventive
    Direct each employee to be responsible for their identification card or badge. CC ID 12332 Physical and environmental protection Preventive
    Assign employees the responsibility for controlling their identification badges. CC ID 12333 Physical and environmental protection Preventive
    Lead or manage business continuity and system continuity, as necessary. CC ID 12240 Operational and Systems Continuity Preventive
    Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 Operational and Systems Continuity Preventive
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Operational and Systems Continuity Preventive
    Perform a background check during personnel screening. CC ID 11758
    [Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. § 7.1.1 Control
    Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. § 7.1.1 Control]
    Human Resources management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources management Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources management Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources management Preventive
    Assign an owner of the personnel status change and termination procedures. CC ID 11805 Human Resources management Preventive
    Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 Human Resources management Preventive
    Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992
    [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. § 7.3.1 Control]
    Human Resources management Preventive
    Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 Human Resources management Corrective
    Conduct exit interviews upon termination of employment. CC ID 14290 Human Resources management Preventive
    Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 Human Resources management Detective
    Support certification programs as viable training programs. CC ID 13268 Human Resources management Preventive
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources management Preventive
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources management Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources management Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources management Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources management Preventive
    Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029
    [The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security. § 7.1.2 Control]
    Human Resources management Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729 Operational management Preventive
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Operational management Preventive
    Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 Operational management Preventive
    Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 Operational management Preventive
    Assign appropriate parties to approve the system design specification. CC ID 13070 Systems design, build, and implementation Preventive
    Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 Privacy protection for information and data Preventive
    Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 Privacy protection for information and data Preventive
    Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 Privacy protection for information and data Preventive
    Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 Privacy protection for information and data Preventive
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 Privacy protection for information and data Preventive
    Review compliance with the organization's privacy objectives. CC ID 13490 Privacy protection for information and data Detective
    Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 Privacy protection for information and data Preventive
  • IT Impact Zone
    14
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Investigate
    20
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 Monitoring and measurement Corrective
    Monitor and evaluate the effectiveness of detection tools. CC ID 13505 Monitoring and measurement Detective
    Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 Monitoring and measurement Detective
    Review retail payment service reports, as necessary. CC ID 13545 Monitoring and measurement Detective
    Rank discovered vulnerabilities. CC ID 11940 Monitoring and measurement Detective
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Audits and risk management Preventive
    Take appropriate action to address information flow anomalies. CC ID 12164 Technical security Corrective
    Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163 Technical security Detective
    Detect anomalies in physical barriers. CC ID 13533 Physical and environmental protection Detective
    Report anomalies in the visitor log to appropriate personnel. CC ID 14755 Physical and environmental protection Detective
    Determine the cause for the activation of the recovery plan. CC ID 13291 Operational and Systems Continuity Detective
    Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 Operational management Detective
    Conduct forensic investigations in the event of a security compromise. CC ID 11951 Operational management Corrective
    Identify potential sources of digital forensic evidence. CC ID 08651
    [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]
    Operational management Preventive
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Operational management Detective
    Collect data about the network environment when certifying the network. CC ID 13125 Operational management Detective
    Analyze requirements for processing personal data in contracts. CC ID 12550 Privacy protection for information and data Detective
    Confirm the data quality of personal data collected from third parties. CC ID 13510 Privacy protection for information and data Detective
    Review the methods for collecting personal data, as necessary. CC ID 13511 Privacy protection for information and data Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Privacy protection for information and data Detective
  • Log Management
    38
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637
    [Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. § 12.4.1 Control]
    Monitoring and measurement Detective
    Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312
    [Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. § 12.4.1 Control]
    Monitoring and measurement Preventive
    Document and communicate the log locations to the owning entity. CC ID 12047 Monitoring and measurement Preventive
    Make logs available for review by the owning entity. CC ID 12046 Monitoring and measurement Preventive
    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 Monitoring and measurement Detective
    Establish, implement, and maintain event logging procedures. CC ID 01335 Monitoring and measurement Detective
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 Monitoring and measurement Preventive
    Protect the event logs from failure. CC ID 06290 Monitoring and measurement Preventive
    Review and update event logs and audit logs, as necessary. CC ID 00596
    [System administrator and system operator activities should be logged and the logs protected and regularly reviewed. § 12.4.3 Control
    Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. § 12.4.1 Control]
    Monitoring and measurement Detective
    Eliminate false positives in event logs and audit logs. CC ID 07047 Monitoring and measurement Corrective
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 Monitoring and measurement Detective
    Reproduce the event log if a log failure is captured. CC ID 01426 Monitoring and measurement Preventive
    Enable logging for all systems that meet a traceability criteria. CC ID 00640 Monitoring and measurement Detective
    Analyze firewall logs for the correct capturing of data. CC ID 00549 Monitoring and measurement Detective
    Define the frequency to capture and log events. CC ID 06313 Monitoring and measurement Preventive
    Include logging frequencies in the event logging procedures. CC ID 00642 Monitoring and measurement Preventive
    Log account usage to determine dormant accounts. CC ID 12118 Monitoring and measurement Detective
    Log account usage times. CC ID 07099 Monitoring and measurement Detective
    Log Internet Protocol addresses used during logon. CC ID 07100 Monitoring and measurement Detective
    Protect logs from unauthorized activity. CC ID 01345
    [System administrator and system operator activities should be logged and the logs protected and regularly reviewed. § 12.4.3 Control
    Logging facilities and log information should be protected against tampering and unauthorized access. § 12.4.2 Control]
    Monitoring and measurement Preventive
    Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 Technical security Preventive
    Establish and maintain a visitor log. CC ID 00715 Physical and environmental protection Preventive
    Record the visitor's name in the visitor log. CC ID 00557 Physical and environmental protection Preventive
    Record the visitor's organization in the visitor log. CC ID 12121 Physical and environmental protection Preventive
    Record the visitor's acceptable access areas in the visitor log. CC ID 12237 Physical and environmental protection Preventive
    Retain all records in the visitor log as prescribed by law. CC ID 00572 Physical and environmental protection Preventive
    Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 Physical and environmental protection Preventive
    Log when the vault is accessed. CC ID 06725 Physical and environmental protection Detective
    Log when the cabinet is accessed. CC ID 11674 Physical and environmental protection Detective
    Store facility access logs in off-site storage. CC ID 06958 Physical and environmental protection Preventive
    Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 Physical and environmental protection Preventive
    Log the performance of all remote maintenance. CC ID 13202 Operational management Preventive
    Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645
    [System administrator and system operator activities should be logged and the logs protected and regularly reviewed. § 12.4.3 Control]
    System hardening through configuration management Detective
    Establish, implement, and maintain a removable storage media log. CC ID 12317 Records management Preventive
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Preventive
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Preventive
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Privacy protection for information and data Detective
    Log dates for account name changes or address changes. CC ID 04876 Privacy protection for information and data Detective
  • Maintenance
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Use system components only when third party support is available. CC ID 10644 Operational management Preventive
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Operational management Preventive
    Conduct offsite maintenance in authorized facilities. CC ID 16473 Operational management Preventive
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Operational management Preventive
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Operational management Preventive
    Restart systems on a periodic basis. CC ID 16498 Operational management Preventive
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Operational management Preventive
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Operational management Preventive
  • Monitor and Evaluate Occurrences
    72
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze organizational objectives, functions, and activities. CC ID 00598 Leadership and high level objectives Preventive
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitoring and measurement Detective
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225 Monitoring and measurement Detective
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitoring and measurement Detective
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitoring and measurement Preventive
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitoring and measurement Detective
    Detect unauthorized access to systems. CC ID 06798 Monitoring and measurement Detective
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitoring and measurement Detective
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitoring and measurement Detective
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitoring and measurement Detective
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitoring and measurement Preventive
    Monitor and evaluate system performance. CC ID 00651 Monitoring and measurement Detective
    Monitor for and react to when suspicious activities are detected. CC ID 00586 Monitoring and measurement Detective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 Monitoring and measurement Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 Monitoring and measurement Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 Monitoring and measurement Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 Monitoring and measurement Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 Monitoring and measurement Corrective
    Establish, implement, and maintain network monitoring operations. CC ID 16444 Monitoring and measurement Preventive
    Monitor and review retail payment activities, as necessary. CC ID 13541 Monitoring and measurement Detective
    Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 Monitoring and measurement Detective
    Monitor for and report when a software configuration is updated. CC ID 06746 Monitoring and measurement Detective
    Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 Monitoring and measurement Detective
    Monitor for firmware updates absent authorization. CC ID 10675 Monitoring and measurement Detective
    Implement file integrity monitoring. CC ID 01205 Monitoring and measurement Detective
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitoring and measurement Preventive
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitoring and measurement Preventive
    Monitor and evaluate user account activity. CC ID 07066 Monitoring and measurement Detective
    Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 Monitoring and measurement Detective
    Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 Monitoring and measurement Detective
    Log account usage durations. CC ID 12117 Monitoring and measurement Detective
    Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 Monitoring and measurement Detective
    Enforce information flow control. CC ID 11781
    [{data transfer policies} {data transfer procedures} {data transfer controls} Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. § 13.2.1 Control]
    Technical security Preventive
    Monitor information flows for anomalies. CC ID 16365 Technical security Preventive
    Monitor and report on the organization's interconnectivity risk. CC ID 13172 Technical security Detective
    Perform content filtering scans on network traffic. CC ID 06761 Technical security Detective
    Perform content filtering scans on incoming and outgoing e-mail. CC ID 06733 Technical security Detective
    Monitor and evaluate all remote access usage. CC ID 00563 Technical security Detective
    Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 Physical and environmental protection Detective
    Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 Physical and environmental protection Preventive
    Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 Physical and environmental protection Detective
    Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 Physical and environmental protection Preventive
    Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 Physical and environmental protection Detective
    Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 Physical and environmental protection Detective
    Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 Physical and environmental protection Detective
    Monitor for alarmed security doors being propped open. CC ID 06684 Physical and environmental protection Detective
    Monitor and review environmental protections. CC ID 12571 Physical and environmental protection Detective
    Install and maintain an environment control monitoring system. CC ID 06370 Physical and environmental protection Detective
    Monitor and evaluate business continuity management system performance. CC ID 12410 Operational and Systems Continuity Detective
    Record business continuity management system performance for posterity. CC ID 12411 Operational and Systems Continuity Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Human Resources management Detective
    Analyze and evaluate training records to improve the training program. CC ID 06380 Human Resources management Detective
    Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 Operational management Corrective
    Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 Operational management Corrective
    Automate software license monitoring, as necessary. CC ID 07057 Operational management Preventive
    Determine the incident severity level when assessing the security incidents. CC ID 01650
    [Information security events should be assessed and it should be decided if they are to be classified as information security incidents. § 16.1.4 Control]
    Operational management Corrective
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Operational management Corrective
    Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234
    [{information security incidents} Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents. § 16.1.6 Control]
    Operational management Preventive
    Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 Records management Detective
    Supervise and monitor outsourced development projects. CC ID 01096
    [The organization should supervise and monitor the activity of outsourced system development. § 14.2.7 Control]
    Systems design, build, and implementation Detective
    Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 Systems design, build, and implementation Detective
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Privacy protection for information and data Preventive
    Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 Privacy protection for information and data Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Privacy protection for information and data Corrective
    Review accounts that are changed for additional user requests. CC ID 11846 Privacy protection for information and data Detective
    Review monitored websites for data leakage. CC ID 10593 Privacy protection for information and data Detective
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Privacy protection for information and data Preventive
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Privacy protection for information and data Preventive
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Privacy protection for information and data Preventive
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [Organizations should regularly monitor, review and audit supplier service delivery. § 15.2.1 Control]
    Third Party and supply chain oversight Detective
    Monitor third parties' financial conditions. CC ID 13170 Third Party and supply chain oversight Detective
  • Physical and Environmental Protection
    94
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Protect assets from tampering or unapproved substitution. CC ID 11902
    [Logging facilities and log information should be protected against tampering and unauthorized access. § 12.4.2 Control]
    Physical and environmental protection Preventive
    Protect the facility from crime. CC ID 06347 Physical and environmental protection Preventive
    Protect facilities from eavesdropping. CC ID 02222 Physical and environmental protection Preventive
    Inspect telephones for eavesdropping devices. CC ID 02223 Physical and environmental protection Detective
    Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 Physical and environmental protection Preventive
    Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 Physical and environmental protection Preventive
    Create security zones in facilities, as necessary. CC ID 16295 Physical and environmental protection Preventive
    Establish clear zones around any sensitive facilities. CC ID 02214 Physical and environmental protection Preventive
    Inspect items brought into the facility. CC ID 06341 Physical and environmental protection Preventive
    Maintain all physical security systems. CC ID 02206 Physical and environmental protection Preventive
    Maintain all security alarm systems. CC ID 11669 Physical and environmental protection Preventive
    Control physical access to (and within) the facility. CC ID 01329 Physical and environmental protection Preventive
    Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 Physical and environmental protection Preventive
    Secure physical entry points with physical access controls or security guards. CC ID 01640 Physical and environmental protection Detective
    Configure the access control system to grant access only during authorized working hours. CC ID 12325 Physical and environmental protection Preventive
    Check the visitor's stated identity against a provided government issued identification. CC ID 06701 Physical and environmental protection Preventive
    Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 Physical and environmental protection Corrective
    Issue photo identification badges to all employees. CC ID 12326 Physical and environmental protection Preventive
    Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 Physical and environmental protection Preventive
    Manage visitor identification inside the facility. CC ID 11670 Physical and environmental protection Preventive
    Secure unissued visitor identification badges. CC ID 06712 Physical and environmental protection Preventive
    Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 Physical and environmental protection Preventive
    Restrict access to the badge system to authorized personnel. CC ID 12043 Physical and environmental protection Preventive
    Enforce dual control for badge assignments. CC ID 12328 Physical and environmental protection Preventive
    Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 Physical and environmental protection Preventive
    Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 Physical and environmental protection Preventive
    Prevent tailgating through physical entry points. CC ID 06685 Physical and environmental protection Preventive
    Use locks to protect against unauthorized physical access. CC ID 06342 Physical and environmental protection Preventive
    Install and maintain security lighting at all physical entry points. CC ID 02205 Physical and environmental protection Preventive
    Use vandal resistant light fixtures for all security lighting. CC ID 16130 Physical and environmental protection Preventive
    Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210
    [{delivery area} Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. § 11.1.6 Control]
    Physical and environmental protection Preventive
    Secure the loading dock with physical access controls or security guards. CC ID 06703 Physical and environmental protection Preventive
    Isolate loading areas from information processing facilities, if possible. CC ID 12028
    [{delivery area} Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. § 11.1.6 Control]
    Physical and environmental protection Preventive
    Screen incoming mail and deliveries. CC ID 06719 Physical and environmental protection Preventive
    Protect access to the facility's mechanical systems area. CC ID 02212 Physical and environmental protection Preventive
    Establish, implement, and maintain elevator security guidelines. CC ID 02232 Physical and environmental protection Preventive
    Establish, implement, and maintain stairwell security guidelines. CC ID 02233 Physical and environmental protection Preventive
    Establish, implement, and maintain glass opening security guidelines. CC ID 02234 Physical and environmental protection Preventive
    Establish a security room, if necessary. CC ID 00738 Physical and environmental protection Preventive
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749 Physical and environmental protection Preventive
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and environmental protection Preventive
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and environmental protection Preventive
    Lock all lockable equipment cabinets. CC ID 11673 Physical and environmental protection Detective
    Establish, implement, and maintain vault physical security standards. CC ID 02203 Physical and environmental protection Preventive
    Monitor physical entry point alarms. CC ID 01639 Physical and environmental protection Detective
    Build and maintain fencing, as necessary. CC ID 02235
    [{sensitive information} Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. § 11.1.1 Control]
    Physical and environmental protection Preventive
    Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 Physical and environmental protection Preventive
    Physically segregate business areas in accordance with organizational standards. CC ID 16718 Physical and environmental protection Preventive
    Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 Physical and environmental protection Preventive
    Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 Physical and environmental protection Preventive
    Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 Physical and environmental protection Preventive
    Restrict physical access to distributed assets. CC ID 11865
    [{environmental hazards} Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. § 11.2.1 Control]
    Physical and environmental protection Preventive
    House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 Physical and environmental protection Preventive
    Protect electronic storage media with physical access controls. CC ID 00720 Physical and environmental protection Preventive
    Protect distributed assets against theft. CC ID 06799 Physical and environmental protection Preventive
    Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539
    [Security should be applied to off-site assets taking into account the different risks of working outside the organization’s premises. § 11.2.6 Control]
    Physical and environmental protection Preventive
    Secure workstations to desks with security cables. CC ID 04724 Physical and environmental protection Preventive
    Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 Physical and environmental protection Preventive
    Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 Physical and environmental protection Preventive
    Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 Physical and environmental protection Preventive
    Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722
    [{sensitive information} Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. § 11.1.1 Control]
    Physical and environmental protection Preventive
    Establish, implement, and maintain an environmental control program. CC ID 00724
    [Physical protection against natural disasters, malicious attack or accidents should be designed and applied. § 11.1.4 Control]
    Physical and environmental protection Preventive
    Protect power equipment and power cabling from damage or destruction. CC ID 01438
    [{power cabling} Power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference or damage. § 11.2.3 Control
    Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities. § 11.2.2 Control]
    Physical and environmental protection Preventive
    Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 Physical and environmental protection Preventive
    Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712 Physical and environmental protection Preventive
    Design the Information Technology facility with a low profile. CC ID 16140 Physical and environmental protection Preventive
    Prohibit signage indicating computer room location and uses. CC ID 06343 Physical and environmental protection Preventive
    Require critical facilities to have adequate room for facility maintenance. CC ID 06361 Physical and environmental protection Preventive
    Require critical facilities to have adequate room for evacuation. CC ID 11686 Physical and environmental protection Preventive
    Build critical facilities according to applicable building codes. CC ID 06366 Physical and environmental protection Preventive
    Build critical facilities with fire resistant materials. CC ID 06365 Physical and environmental protection Preventive
    Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 Physical and environmental protection Preventive
    Build critical facilities with water-resistant materials. CC ID 11679 Physical and environmental protection Preventive
    Monitor operational conditions at unmanned facilities. CC ID 06327 Physical and environmental protection Preventive
    Inspect and maintain the facility and supporting assets. CC ID 06345 Physical and environmental protection Preventive
    Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 Physical and environmental protection Preventive
    House system components in areas where the physical damage potential is minimized. CC ID 01623
    [{environmental hazards} Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. § 11.2.1 Control]
    Physical and environmental protection Preventive
    Install and maintain smoke detectors. CC ID 15264 Physical and environmental protection Preventive
    Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 Physical and environmental protection Preventive
    Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 Physical and environmental protection Preventive
    Install and maintain seismic detectors in critical facilities. CC ID 06364 Physical and environmental protection Detective
    Protect physical assets against static electricity, as necessary. CC ID 06363 Physical and environmental protection Preventive
    Install and maintain emergency lighting for use in a power failure. CC ID 01440 Physical and environmental protection Preventive
    Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367 Physical and environmental protection Preventive
    Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 Physical and environmental protection Preventive
    Protect air intakes into the organizational facility. CC ID 02211 Physical and environmental protection Preventive
    Install and maintain water detection devices. CC ID 11678 Physical and environmental protection Preventive
    Establish and maintain off-site electronic media storage facilities. CC ID 00957 Operational and Systems Continuity Preventive
    Conduct environmental surveys. CC ID 00690 Operational management Preventive
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Operational management Preventive
    Control and monitor all maintenance tools. CC ID 01432 Operational management Detective
    Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 Operational management Preventive
    Refrain from protecting physical assets when no longer required. CC ID 13484 Operational management Corrective
    Store manufacturing components in a controlled access area. CC ID 12256 Systems design, build, and implementation Preventive
  • Process or Activity
    91
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Review and approve the use of continuous security management systems. CC ID 13181 Monitoring and measurement Preventive
    Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 Monitoring and measurement Detective
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 Monitoring and measurement Preventive
    Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 Technical security Preventive
    Assign virtual escorting to authorized personnel. CC ID 16440 Technical security Preventive
    Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 Technical security Preventive
    Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 Technical security Preventive
    Define the format of the biometric data on identification cards or badges. CC ID 06586 Technical security Preventive
    Implement physical identification processes. CC ID 13715 Physical and environmental protection Preventive
    Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 Physical and environmental protection Preventive
    Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 Physical and environmental protection Preventive
    Include identity proofing processes in the identification issuance procedures. CC ID 06597 Physical and environmental protection Preventive
    Prohibit assets from being taken off-site absent prior authorization. CC ID 12027
    [Equipment, information or software should not be taken off-site without prior authorization. § 11.2.5 Control]
    Physical and environmental protection Preventive
    Conduct fire drills, as necessary. CC ID 13985 Physical and environmental protection Preventive
    Employ environmental protections. CC ID 12570 Physical and environmental protection Preventive
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 Operational and Systems Continuity Preventive
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259 Operational and Systems Continuity Preventive
    Perform backup procedures for in scope systems. CC ID 11692 Operational and Systems Continuity Preventive
    Include all residences in the criminal records check. CC ID 13306 Human Resources management Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737
    [A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control]
    Operational management Preventive
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Operational management Preventive
    Provide support for information sharing activities. CC ID 15644 Operational management Preventive
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Operational management Preventive
    Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 Operational management Preventive
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Operational management Preventive
    Perform emergency changes, as necessary. CC ID 12707 Operational management Preventive
    Back up emergency changes after the change has been performed. CC ID 12734 Operational management Preventive
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Operational management Detective
    Establish, implement, and maintain a patch management program. CC ID 00896 Operational management Preventive
    Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 Records management Preventive
    Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 Records management Preventive
    Identify electronic storage media that require downgrading. CC ID 10620 Records management Detective
    Downgrade electronic storage media, as necessary. CC ID 10621 Records management Corrective
    Establish, implement, and maintain identification card or badge architectural designs. CC ID 06591 Systems design, build, and implementation Preventive
    Define the physical requirements for identification cards or badges in the identification card or badge architectural designs. CC ID 06592 Systems design, build, and implementation Preventive
    Define the mandatory items that must appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06593 Systems design, build, and implementation Preventive
    Define the optional items that may appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06594 Systems design, build, and implementation Preventive
    Include the logical credential data model for identification cards or badges in the identification card or badge architectural designs. CC ID 06595 Systems design, build, and implementation Preventive
    Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 Systems design, build, and implementation Preventive
    Convert workflow charts and diagrams into machine readable code. CC ID 14865 Systems design, build, and implementation Preventive
    Document the results of the source code analysis. CC ID 14310 Systems design, build, and implementation Detective
    Digitally sign software components. CC ID 16490 Systems design, build, and implementation Preventive
    Discourage the modification of vendor-supplied software. CC ID 12016
    [Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. § 14.2.4 Control]
    Acquisition or sale of facilities, technology, and services Preventive
    Require a data protection impact assessment when profiling the data subject. CC ID 12680 Privacy protection for information and data Detective
    Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 Privacy protection for information and data Preventive
    Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 Privacy protection for information and data Preventive
    Provide the data subject with the data retention period for personal data. CC ID 12587 Privacy protection for information and data Preventive
    Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 Privacy protection for information and data Preventive
    Provide the data subject with the adequacy decision. CC ID 12586 Privacy protection for information and data Preventive
    Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 Privacy protection for information and data Preventive
    Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 Privacy protection for information and data Preventive
    Notify the data subject of the right to data portability. CC ID 12603 Privacy protection for information and data Preventive
    Provide the data subject with information about the right to erasure. CC ID 12602 Privacy protection for information and data Preventive
    Provide shareholders access to electronic messages via electronic means. CC ID 11855 Privacy protection for information and data Preventive
    Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 Privacy protection for information and data Preventive
    Align the enterprise architecture with the privacy plan. CC ID 14705 Privacy protection for information and data Preventive
    Confirm the individual's identity before granting an opt-out request. CC ID 16813 Privacy protection for information and data Preventive
    Approve the approval application unless applicant has been convicted. CC ID 16603 Privacy protection for information and data Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 Privacy protection for information and data Preventive
    Allow data subjects to submit data requests. CC ID 16545 Privacy protection for information and data Preventive
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Privacy protection for information and data Preventive
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Privacy protection for information and data Preventive
    Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 Privacy protection for information and data Detective
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 Privacy protection for information and data Preventive
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Privacy protection for information and data Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Privacy protection for information and data Preventive
    Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Privacy protection for information and data Preventive
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Privacy protection for information and data Preventive
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Privacy protection for information and data Preventive
    Search the Internet for evidence of data leakage. CC ID 10419 Privacy protection for information and data Detective
    Alert appropriate personnel when data leakage is detected. CC ID 14715 Privacy protection for information and data Preventive
    Take appropriate action when a data leakage is discovered. CC ID 14716 Privacy protection for information and data Corrective
    Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 Privacy protection for information and data Preventive
    Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 Privacy protection for information and data Preventive
    Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 Privacy protection for information and data Preventive
    Define the fee structure for the appeal process. CC ID 16532 Privacy protection for information and data Preventive
    Define the time requirements for the appeal process. CC ID 16531 Privacy protection for information and data Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794
    [All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information. § 15.1.2 Control]
    Third Party and supply chain oversight Detective
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Detective
  • Records Management
    48
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 Technical security Preventive
    Retain video events according to Records Management procedures. CC ID 06304 Physical and environmental protection Preventive
    Control the transiting and internal distribution or external distribution of assets. CC ID 00963
    [Media containing information should be protected against unauthorized access, misuse or corruption during transportation. § 8.3.3 Control]
    Physical and environmental protection Preventive
    Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 Physical and environmental protection Preventive
    Refrain from including exclusions that could affect business continuity. CC ID 12740 Operational and Systems Continuity Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974 Operational management Preventive
    Include source code in the asset inventory. CC ID 14858 Operational management Preventive
    Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656
    [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]
    Operational management Preventive
    Degauss as a method of sanitizing electronic storage media. CC ID 00973 Records management Preventive
    Protect records from loss in accordance with applicable requirements. CC ID 12007
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Records management Preventive
    Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 Records management Detective
    Establish and maintain access controls for all records. CC ID 00371
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Records management Preventive
    Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 Records management Preventive
    Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 Records management Preventive
    Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 Records management Preventive
    Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 Records management Preventive
    Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 Privacy protection for information and data Preventive
    Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 Privacy protection for information and data Preventive
    Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 Privacy protection for information and data Corrective
    Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 Privacy protection for information and data Corrective
    Grant access to education records in support of educational program audits. CC ID 13032 Privacy protection for information and data Preventive
    Grant access to education records in support of external requirements. CC ID 13033 Privacy protection for information and data Preventive
    Collect and retain disclosure authorizations for each data subject. CC ID 13434 Privacy protection for information and data Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Privacy protection for information and data Preventive
    Submit personal data removal requests in writing. CC ID 11973 Privacy protection for information and data Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Privacy protection for information and data Corrective
    Refrain from processing restricted data, as necessary. CC ID 12551 Privacy protection for information and data Preventive
    Include the data protection officer's contact information in the record of processing activities. CC ID 12640 Privacy protection for information and data Preventive
    Include the data processor's contact information in the record of processing activities. CC ID 12657 Privacy protection for information and data Preventive
    Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 Privacy protection for information and data Preventive
    Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 Privacy protection for information and data Preventive
    Include a description of the data subject categories in the record of processing activities. CC ID 12659 Privacy protection for information and data Preventive
    Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 Privacy protection for information and data Preventive
    Include the personal data processing categories in the record of processing activities. CC ID 12661 Privacy protection for information and data Preventive
    Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 Privacy protection for information and data Preventive
    Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 Privacy protection for information and data Preventive
    Include a description of the personal data categories in the record of processing activities. CC ID 12660 Privacy protection for information and data Preventive
    Include the joint data controller's contact information in the record of processing activities. CC ID 12639 Privacy protection for information and data Preventive
    Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 Privacy protection for information and data Preventive
    Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 Privacy protection for information and data Preventive
    Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 Privacy protection for information and data Preventive
    Include the data controller's contact information in the record of processing activities. CC ID 12637 Privacy protection for information and data Preventive
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Privacy protection for information and data Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Privacy protection for information and data Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Privacy protection for information and data Preventive
    Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 Privacy protection for information and data Preventive
    Remove personal data from records after receiving a personal data removal request. CC ID 11972 Privacy protection for information and data Preventive
    Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 Privacy protection for information and data Preventive
  • Systems Continuity
    21
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify all stakeholders critical to the continuity of operations. CC ID 12741 Operational and Systems Continuity Detective
    Include information security continuity in the scope of the continuity framework. CC ID 12009 Operational and Systems Continuity Preventive
    Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 Operational and Systems Continuity Preventive
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 Operational and Systems Continuity Corrective
    Maintain normal security levels when an emergency occurs. CC ID 06377 Operational and Systems Continuity Preventive
    Execute fail-safe procedures when an emergency occurs. CC ID 07108 Operational and Systems Continuity Preventive
    Include the in scope system's location in the continuity plan. CC ID 16246 Operational and Systems Continuity Preventive
    Include the system description in the continuity plan. CC ID 16241 Operational and Systems Continuity Preventive
    Restore systems and environments to be operational. CC ID 13476 Operational and Systems Continuity Corrective
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Operational and Systems Continuity Preventive
    Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 Operational and Systems Continuity Preventive
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Operational and Systems Continuity Preventive
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 Operational and Systems Continuity Preventive
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Operational and Systems Continuity Corrective
    Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258
    [Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy. § 12.3.1 Control]
    Operational and Systems Continuity Preventive
    Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 Operational and Systems Continuity Preventive
    Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 Operational and Systems Continuity Detective
    Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 Operational and Systems Continuity Preventive
    Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 Operational and Systems Continuity Preventive
    Validate information security continuity controls regularly. CC ID 12008
    [The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. § 17.1.3 Control]
    Operational and Systems Continuity Preventive
    Implement network redundancy, as necessary. CC ID 13048 Operational management Preventive
  • Systems Design, Build, and Implementation
    88
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Install and maintain power distribution boards. CC ID 16486 Physical and environmental protection Preventive
    Apply security controls to each level of the information classification standard. CC ID 01903 Operational management Preventive
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 Operational management Preventive
    Review each system's operational readiness. CC ID 06275 Operational management Preventive
    Validate the system before implementing approved changes. CC ID 01510
    [When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security. § 14.2.3 Control]
    Operational management Preventive
    Establish, implement, and maintain traceability documentation. CC ID 16388 Operational management Preventive
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems design, build, and implementation Preventive
    Implement manual override capability into automated systems. CC ID 14921 Systems design, build, and implementation Preventive
    Redesign business activities to support the system implementation. CC ID 01067 Systems design, build, and implementation Corrective
    Search for metadata during e-discovery. CC ID 01073 Systems design, build, and implementation Preventive
    Establish, implement, and maintain security design principles. CC ID 14718 Systems design, build, and implementation Preventive
    Include reduced complexity of systems or system components in the security design principles. CC ID 14753 Systems design, build, and implementation Preventive
    Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 Systems design, build, and implementation Preventive
    Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 Systems design, build, and implementation Preventive
    Include modularity and layering of systems or system components in the security design principles. CC ID 14750 Systems design, build, and implementation Preventive
    Include secure evolvability of systems or system components in the security design principles. CC ID 14749 Systems design, build, and implementation Preventive
    Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 Systems design, build, and implementation Preventive
    Include secure system modification of systems or system components in the security design principles. CC ID 14746 Systems design, build, and implementation Preventive
    Include clear abstractions of systems or system components in the security design principles. CC ID 14745 Systems design, build, and implementation Preventive
    Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 Systems design, build, and implementation Preventive
    Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 Systems design, build, and implementation Preventive
    Include least privilege of systems or system components in the security design principles. CC ID 14742 Systems design, build, and implementation Preventive
    Include minimized sharing of systems or system components in the security design principles. CC ID 14741 Systems design, build, and implementation Preventive
    Include acceptable security of systems or system components in the security design principles. CC ID 14740 Systems design, build, and implementation Preventive
    Include minimized security elements in systems or system components in the security design principles. CC ID 14739 Systems design, build, and implementation Preventive
    Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 Systems design, build, and implementation Preventive
    Include self-analysis of systems or system components in the security design principles. CC ID 14737 Systems design, build, and implementation Preventive
    Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 Systems design, build, and implementation Preventive
    Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 Systems design, build, and implementation Preventive
    Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 Systems design, build, and implementation Preventive
    Include minimization of systems or system components in the security design principles. CC ID 14733 Systems design, build, and implementation Preventive
    Include secure defaults in systems or system components in the security design principles. CC ID 14732 Systems design, build, and implementation Preventive
    Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 Systems design, build, and implementation Preventive
    Include economic security in systems or system components in the security design principles. CC ID 14730 Systems design, build, and implementation Preventive
    Include trusted components of systems or system components in the security design principles. CC ID 14729 Systems design, build, and implementation Preventive
    Include procedural rigor in systems or system components in the security design principles. CC ID 14728 Systems design, build, and implementation Preventive
    Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 Systems design, build, and implementation Preventive
    Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 Systems design, build, and implementation Preventive
    Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 Systems design, build, and implementation Preventive
    Include performance security of systems or system components in the security design principles. CC ID 14724 Systems design, build, and implementation Preventive
    Include human factored security in systems or system components in the security design principles. CC ID 14723 Systems design, build, and implementation Preventive
    Include secure metadata management of systems or system components in the security design principles. CC ID 14722 Systems design, build, and implementation Preventive
    Include predicate permission of systems or system components in the security design principles. CC ID 14721 Systems design, build, and implementation Preventive
    Separate the design and development environment from the production environment. CC ID 06088
    [{development environment} {testing environment} Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. § 12.1.4 Control]
    Systems design, build, and implementation Preventive
    Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 Systems design, build, and implementation Preventive
    Develop systems in accordance with the system design specifications and system design standards. CC ID 01094
    [Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts. § 14.2.5 Control]
    Systems design, build, and implementation Preventive
    Protect stored manufacturing components prior to assembly. CC ID 12248 Systems design, build, and implementation Preventive
    Develop new products based on best practices. CC ID 01095 Systems design, build, and implementation Preventive
    Include threat models in the system design specification. CC ID 06829 Systems design, build, and implementation Preventive
    Include security requirements in the system design specification. CC ID 06826
    [The information security related requirements should be included in the requirements for new information systems or enhancements to existing information systems. § 14.1.1 Control]
    Systems design, build, and implementation Preventive
    Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 Systems design, build, and implementation Preventive
    Include security measures in the identification card or badge architectural designs. CC ID 15423 Systems design, build, and implementation Preventive
    Implement data controls when developing systems. CC ID 15302 Systems design, build, and implementation Preventive
    Implement security controls when developing systems. CC ID 06270 Systems design, build, and implementation Preventive
    Analyze and minimize attack surfaces when developing systems. CC ID 06828 Systems design, build, and implementation Preventive
    Implement a hardware security module, as necessary. CC ID 12222 Systems design, build, and implementation Preventive
    Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 Systems design, build, and implementation Preventive
    Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 Systems design, build, and implementation Preventive
    Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 Systems design, build, and implementation Preventive
    Design the hardware security module to enforce the separation between applications. CC ID 12254 Systems design, build, and implementation Preventive
    Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 Systems design, build, and implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 Systems design, build, and implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 Systems design, build, and implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 Systems design, build, and implementation Preventive
    Design the hardware security module to erase sensitive data when compromised. CC ID 12275 Systems design, build, and implementation Preventive
    Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 Systems design, build, and implementation Preventive
    Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 Systems design, build, and implementation Preventive
    Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 Systems design, build, and implementation Preventive
    Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 Systems design, build, and implementation Preventive
    Install secret information into the hardware security module during manufacturing. CC ID 12249 Systems design, build, and implementation Preventive
    Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 Systems design, build, and implementation Preventive
    Install secret information under dual control into the hardware security module. CC ID 12257 Systems design, build, and implementation Preventive
    Establish, implement, and maintain secure update mechanisms. CC ID 14923 Systems design, build, and implementation Preventive
    Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 Systems design, build, and implementation Preventive
    Automate secure update mechanisms, as necessary. CC ID 14933 Systems design, build, and implementation Preventive
    Follow security design requirements when developing systems. CC ID 06827 Systems design, build, and implementation Preventive
    Identify multi-project interfaces and dependencies. CC ID 06902 Systems design, build, and implementation Preventive
    Design the security architecture. CC ID 06269 Systems design, build, and implementation Preventive
    Design the privacy architecture. CC ID 14671 Systems design, build, and implementation Preventive
    Implement software development version controls. CC ID 01098 Systems design, build, and implementation Preventive
    Follow the system development process when upgrading a system. CC ID 01059 Systems design, build, and implementation Preventive
    Conduct a design review at each milestone or quality gate. CC ID 01087 Systems design, build, and implementation Detective
    Approve the design methodology before moving forward on the system design project. CC ID 01060 Systems design, build, and implementation Preventive
    Perform source code analysis at each milestone or quality gate. CC ID 06832 Systems design, build, and implementation Corrective
    Identify and redesign unsafe functions when developing systems. CC ID 06831 Systems design, build, and implementation Preventive
    Monitor the development environment for when malicious code is discovered. CC ID 06396 Systems design, build, and implementation Detective
    Control the test data used in the development environment. CC ID 12013
    [Test data should be selected carefully, protected and controlled. § 14.3.1 Control]
    Systems design, build, and implementation Preventive
    Select the test data carefully. CC ID 12011
    [Test data should be selected carefully, protected and controlled. § 14.3.1 Control]
    Systems design, build, and implementation Preventive
  • Technical Security
    154
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 Monitoring and measurement Detective
    Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 Monitoring and measurement Preventive
    Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 Monitoring and measurement Preventive
    Implement detonation chambers, where appropriate. CC ID 10670 Monitoring and measurement Preventive
    Identify cybersecurity events in event logs and audit logs. CC ID 13206 Monitoring and measurement Detective
    Erase payment applications when suspicious activity is confirmed. CC ID 12193 Monitoring and measurement Corrective
    Identify unauthorized modifications during file integrity monitoring. CC ID 12096 Monitoring and measurement Detective
    Allow expected changes during file integrity monitoring. CC ID 12090 Monitoring and measurement Preventive
    Develop and maintain a usage profile for each user account. CC ID 07067 Monitoring and measurement Preventive
    Perform vulnerability scans, as necessary. CC ID 11637 Monitoring and measurement Detective
    Identify and document security vulnerabilities. CC ID 11857
    [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]
    Monitoring and measurement Detective
    Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 Technical security Preventive
    Identify information system users. CC ID 12081 Technical security Detective
    Review user accounts. CC ID 00525 Technical security Detective
    Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 Technical security Detective
    Review shared accounts. CC ID 11840 Technical security Detective
    Control access rights to organizational assets. CC ID 00004
    [The allocation and use of privileged access rights should be restricted and controlled. § 9.2.3 Control
    Access to information and application system functions should be restricted in accordance with the access control policy. § 9.4.1 Control]
    Technical security Preventive
    Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 Technical security Preventive
    Define access needs for each system component of an information system. CC ID 12456 Technical security Preventive
    Define the level of privilege required for each system component of an information system. CC ID 12457 Technical security Preventive
    Establish access rights based on least privilege. CC ID 01411
    [The allocation and use of privileged access rights should be restricted and controlled. § 9.2.3 Control]
    Technical security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical security Preventive
    Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 Technical security Preventive
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical security Preventive
    Establish session authenticity through Transport Layer Security. CC ID 01627 Technical security Preventive
    Include all system components in the access control system. CC ID 11939 Technical security Preventive
    Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 Technical security Preventive
    Enable attribute-based access control for objects and users on information systems. CC ID 16351 Technical security Preventive
    Enable role-based access control for objects and users on information systems. CC ID 12458 Technical security Preventive
    Enforce access restrictions for change control. CC ID 01428 Technical security Preventive
    Permit a limited set of user actions absent identification and authentication. CC ID 04849 Technical security Preventive
    Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 Technical security Preventive
    Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 Technical security Preventive
    Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 Technical security Preventive
    Control user privileges. CC ID 11665 Technical security Preventive
    Review all user privileges, as necessary. CC ID 06784
    [Asset owners should review users’ access rights at regular intervals. § 9.2.5 Control]
    Technical security Preventive
    Review each user's access capabilities when their role changes. CC ID 00524 Technical security Preventive
    Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 Technical security Preventive
    Establish, implement, and maintain User Access Management procedures. CC ID 00514
    [A formal user access provisioning process should be implemented to assign or revoke access rights for all user types to all systems and services. § 9.2.2 Control]
    Technical security Preventive
    Review and approve logical access to all assets based upon organizational policies. CC ID 06641 Technical security Preventive
    Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 Technical security Preventive
    Automate access control methods, as necessary. CC ID 11838 Technical security Preventive
    Automate Access Control Systems, as necessary. CC ID 06854 Technical security Preventive
    Refrain from storing logon credentials for third party applications. CC ID 13690 Technical security Preventive
    Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 Technical security Preventive
    Remove inactive user accounts, as necessary. CC ID 00517 Technical security Corrective
    Remove temporary user accounts, as necessary. CC ID 11839 Technical security Corrective
    Enforce the password policy. CC ID 16347 Technical security Preventive
    Enforce usage restrictions for superuser accounts. CC ID 07064 Technical security Preventive
    Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 Technical security Preventive
    Protect and manage biometric systems and biometric data. CC ID 01261 Technical security Preventive
    Implement out-of-band authentication, as necessary. CC ID 10606 Technical security Corrective
    Identify and control all network access controls. CC ID 00529 Technical security Preventive
    Implement segregation of duties. CC ID 11843
    [Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. § 6.1.2 Control]
    Technical security Preventive
    Restrict traffic or information flow based on the node type. CC ID 16396 Technical security Preventive
    Restrict traffic or information flow based on the destination address. CC ID 16378 Technical security Preventive
    Restrict traffic or information flow based on the origination address. CC ID 16484 Technical security Preventive
    Use content filtering scans to identify information flows by data type specification. CC ID 06762 Technical security Preventive
    Use content filtering scans to identify information flows by data type usage. CC ID 11818 Technical security Preventive
    Prevent encrypted data from bypassing content filtering mechanisms. CC ID 06758 Technical security Preventive
    Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists. CC ID 12128 Technical security Preventive
    Review and approve information exchange system connections. CC ID 07143 Technical security Preventive
    Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 Technical security Preventive
    Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107 Technical security Preventive
    Block uncategorized sites using URL filtering. CC ID 12140 Technical security Preventive
    Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139 Technical security Detective
    Control all methods of remote access and teleworking. CC ID 00559
    [A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites. § 6.2.2 Control]
    Technical security Preventive
    Refrain from allowing remote users to copy files to remote devices. CC ID 06792 Technical security Preventive
    Control remote access through a network access control. CC ID 01421 Technical security Preventive
    Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324 Technical security Preventive
    Employ multifactor authentication for remote access to the organization's network. CC ID 12505 Technical security Preventive
    Implement phishing-resistant multifactor authentication techniques. CC ID 16541 Technical security Preventive
    Limit the source addresses from which remote administration is performed. CC ID 16393 Technical security Preventive
    Manage the use of encryption controls and cryptographic controls. CC ID 00570
    [Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations. § 18.1.5 Control]
    Technical security Preventive
    Employ cryptographic controls that comply with applicable requirements. CC ID 12491 Technical security Preventive
    Make key usage for data fields unique for each device. CC ID 04828 Technical security Preventive
    Accept only trusted keys and/or certificates. CC ID 11988 Technical security Preventive
    Bind keys to each identity. CC ID 12337 Technical security Preventive
    Generate unique cryptographic keys for each user. CC ID 12169 Technical security Preventive
    Implement decryption keys so that they are not linked to user accounts. CC ID 06851 Technical security Preventive
    Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 Technical security Preventive
    Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 Technical security Preventive
    Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 Technical security Preventive
    Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 Technical security Preventive
    Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 Technical security Preventive
    Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 Technical security Preventive
    Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 Technical security Preventive
    Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 Technical security Preventive
    Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 Technical security Preventive
    Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 Technical security Preventive
    Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 Technical security Preventive
    Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 Technical security Preventive
    Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021
    [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]
    Technical security Preventive
    Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020
    [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]
    Technical security Preventive
    Protect application services information transmitted over a public network from contract disputes. CC ID 12019
    [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]
    Technical security Preventive
    Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018
    [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]
    Technical security Preventive
    Install and maintain container security solutions. CC ID 16178 Technical security Preventive
    Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 Physical and environmental protection Preventive
    Secure unissued access mechanisms. CC ID 06713 Physical and environmental protection Preventive
    Change cipher lock codes, as necessary. CC ID 06651 Physical and environmental protection Preventive
    Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 Physical and environmental protection Preventive
    Establish, implement, and maintain a clear screen policy. CC ID 12436
    [A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. § 11.2.9 Control]
    Physical and environmental protection Preventive
    Remotely control operational conditions at unmanned facilities. CC ID 11680 Physical and environmental protection Preventive
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 Operational and Systems Continuity Preventive
    Terminate user accounts when notified that an individual is terminated. CC ID 11614 Human Resources management Corrective
    Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826
    [The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change. § 9.2.6 Control]
    Human Resources management Corrective
    Limit any effects of a Denial of Service attack. CC ID 06754
    [Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. § 17.2.1 Control]
    Operational management Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Operational management Preventive
    Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 Operational management Preventive
    Link the authentication system to the asset inventory. CC ID 13718 Operational management Preventive
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Operational management Detective
    Prevent users from disabling required software. CC ID 16417 Operational management Preventive
    Control remote maintenance according to the system's asset classification. CC ID 01433 Operational management Preventive
    Approve all remote maintenance sessions. CC ID 10615 Operational management Preventive
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Operational management Preventive
    Employ dedicated systems during system maintenance. CC ID 12108 Operational management Preventive
    Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 Operational management Preventive
    Categorize the incident following an incident response. CC ID 13208 Operational management Preventive
    Respond when an integrity violation is detected, as necessary. CC ID 10678 Operational management Corrective
    Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 Operational management Corrective
    Restart systems when an integrity violation is detected, as necessary. CC ID 10680 Operational management Corrective
    Integrate configuration management procedures into the change control program. CC ID 13646 Operational management Preventive
    Implement patch management software, as necessary. CC ID 12094 Operational management Preventive
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Operational management Preventive
    Review the patch log for missing patches. CC ID 13186 Operational management Detective
    Patch software. CC ID 11825 Operational management Corrective
    Patch the operating system, as necessary. CC ID 11824 Operational management Corrective
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 Operational management Detective
    Restrict and control the use of privileged utility programs. CC ID 12030
    [The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled. § 9.4.4 Control]
    System hardening through configuration management Preventive
    Establish, implement, and maintain authenticators. CC ID 15305 System hardening through configuration management Preventive
    Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127 System hardening through configuration management Preventive
    Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 Records management Preventive
    Implement and maintain high availability storage, as necessary. CC ID 00952 Records management Preventive
    Establish, implement, and maintain online storage controls. CC ID 00942 Records management Preventive
    Provide encryption for different types of electronic storage media. CC ID 00945 Records management Preventive
    Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 Systems design, build, and implementation Preventive
    Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 Systems design, build, and implementation Preventive
    Use randomly generated session identifiers. CC ID 07074 Systems design, build, and implementation Preventive
    Limit the embedding of data types inside other data types. CC ID 06759 Systems design, build, and implementation Preventive
    Protect system libraries. CC ID 01097 Systems design, build, and implementation Preventive
    Protect application program libraries. CC ID 11762 Systems design, build, and implementation Preventive
    Establish and maintain access rights to source code based upon least privilege. CC ID 06962
    [Access to program source code should be restricted. § 9.4.5 Control]
    Systems design, build, and implementation Preventive
    Protect test data in the development environment. CC ID 12014
    [Test data should be selected carefully, protected and controlled. § 14.3.1 Control]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain payment transaction security measures. CC ID 13088 Acquisition or sale of facilities, technology, and services Preventive
    Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 Privacy protection for information and data Preventive
    Display warning screens and confirmation screens for all payment transactions. CC ID 06409 Privacy protection for information and data Preventive
    Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 Privacy protection for information and data Preventive
    Employ a random number generator to create authenticators. CC ID 13782 Privacy protection for information and data Preventive
    Provide unobservability of users and resources. CC ID 04551 Privacy protection for information and data Preventive
    Protect electronic messaging information. CC ID 12022
    [Information involved in electronic messaging should be appropriately protected. § 13.2.3 Control]
    Privacy protection for information and data Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Privacy protection for information and data Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Privacy protection for information and data Preventive
    Implement security measures to protect personal data. CC ID 13606 Privacy protection for information and data Preventive
  • Testing
    58
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 Monitoring and measurement Preventive
    Assess customer satisfaction. CC ID 00652 Monitoring and measurement Detective
    Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 Technical security Detective
    Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 Technical security Preventive
    Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560 Technical security Detective
    Test cryptographic key management applications, as necessary. CC ID 04829 Technical security Detective
    Implement non-repudiation for transactions. CC ID 00567 Technical security Detective
    Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 Physical and environmental protection Preventive
    Implement operational requirements for card readers. CC ID 02225 Physical and environmental protection Preventive
    Test locks for physical security vulnerabilities. CC ID 04880 Physical and environmental protection Detective
    Test and inspect assets under full load working conditions. CC ID 06356 Physical and environmental protection Detective
    Establish, implement, and maintain the organization's call tree. CC ID 01167 Operational and Systems Continuity Detective
    Test the recovery plan, as necessary. CC ID 13290 Operational and Systems Continuity Detective
    Test the backup information, as necessary. CC ID 13303 Operational and Systems Continuity Detective
    Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 Operational and Systems Continuity Detective
    Test backup media for media integrity and information integrity, as necessary. CC ID 01401
    [Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy. § 12.3.1 Control]
    Operational and Systems Continuity Detective
    Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 Operational and Systems Continuity Detective
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 Human Resources management Detective
    Perform a drug test during personnel screening. CC ID 06648 Human Resources management Preventive
    Conduct tests and evaluate training. CC ID 06672 Human Resources management Detective
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 Operational management Detective
    Conduct maintenance with authorized personnel. CC ID 01434 Operational management Detective
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203 Operational management Detective
    Test for detrimental environmental factors after a system is disposed. CC ID 06938 Operational management Detective
    Assess all incidents to determine what information was accessed. CC ID 01226
    [Information security events should be assessed and it should be decided if they are to be classified as information security incidents. § 16.1.4 Control]
    Operational management Corrective
    Open a priority incident request after a security breach is detected. CC ID 04838 Operational management Corrective
    Activate the incident response notification procedures after a security breach is detected. CC ID 04839 Operational management Corrective
    Test proposed changes prior to their approval. CC ID 00548 Operational management Detective
    Perform risk assessments prior to approving change requests. CC ID 00888 Operational management Preventive
    Perform a patch test prior to deploying a patch. CC ID 00898 Operational management Detective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Operational management Detective
    Review changes to computer firmware. CC ID 12226 Operational management Detective
    Certify changes to computer firmware are free of malicious logic. CC ID 12227 Operational management Detective
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Operational management Detective
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541
    [Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions. § 14.2.9 Control]
    Operational management Detective
    Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970
    [Media should be disposed of securely when no longer required, using formal procedures. § 8.3.2 Control]
    Records management Detective
    Maintain media sanitization equipment in operational condition. CC ID 00721 Records management Detective
    Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 Records management Detective
    Test the storage media downgrade for correct performance. CC ID 10623 Records management Detective
    Restrict system architects from being assigned as Administrators. CC ID 01064 Systems design, build, and implementation Detective
    Restrict the development team from having access to the production environment. CC ID 01066 Systems design, build, and implementation Detective
    Implement security controls in development endpoints. CC ID 16389 Systems design, build, and implementation Preventive
    Audit all modifications to the application being developed. CC ID 01614 Systems design, build, and implementation Detective
    Reassess the system design after the product has been tested. CC ID 01088 Systems design, build, and implementation Detective
    Perform Quality Management on all newly developed or modified systems. CC ID 01100 Systems design, build, and implementation Detective
    Test security functionality during the development process. CC ID 12015
    [Testing of security functionality should be carried out during development. § 14.2.8 Control]
    Systems design, build, and implementation Preventive
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Privacy protection for information and data Detective
    Implement physical controls to protect personal data. CC ID 00355 Privacy protection for information and data Preventive
    Conduct personal data risk assessments. CC ID 00357 Privacy protection for information and data Detective
    Conduct internal data processing audits. CC ID 00374 Privacy protection for information and data Detective
    Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 Privacy protection for information and data Detective
    Include third party requirements for personnel security in third party contracts. CC ID 00790 Third Party and supply chain oversight Detective
    Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 Third Party and supply chain oversight Detective
    Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 Third Party and supply chain oversight Detective
    Establish the third party's service continuity. CC ID 00797 Third Party and supply chain oversight Detective
    Determine the adequacy of a third party's alternate site preparations. CC ID 06879 Third Party and supply chain oversight Detective
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 Third Party and supply chain oversight Detective
    Perform risk assessments of third parties, as necessary. CC ID 06454 Third Party and supply chain oversight Detective
  • Training
    27
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Submit applications for professional certification. CC ID 16192 Human Resources management Preventive
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Human Resources management Detective
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Human Resources management Preventive
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Human Resources management Preventive
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Human Resources management Detective
    Develop or acquire content to update the training plans. CC ID 12867 Human Resources management Preventive
    Designate training facilities in the training plan. CC ID 16200 Human Resources management Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Human Resources management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Human Resources management Preventive
    Include risk management in the training plan, as necessary. CC ID 13040 Human Resources management Preventive
    Conduct personal data processing training. CC ID 13757 Human Resources management Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Human Resources management Preventive
    Include the cloud service usage standard in the training plan. CC ID 13039 Human Resources management Preventive
    Include media protection in the security awareness program. CC ID 16368 Human Resources management Preventive
    Include physical security in the security awareness program. CC ID 16369 Human Resources management Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Human Resources management Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Human Resources management Preventive
    Include implications of non-compliance in the security awareness program. CC ID 16425 Human Resources management Preventive
    Include the acceptable use policy in the security awareness program. CC ID 15487 Human Resources management Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Human Resources management Preventive
    Conduct tampering prevention training. CC ID 11875 Human Resources management Preventive
    Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Human Resources management Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Human Resources management Preventive
    Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 Human Resources management Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Human Resources management Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Human Resources management Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Human Resources management Preventive
Common Controls and
mandates by Classification
160 Mandated Controls - bold    
127 Implied Controls - italic     2508 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
2795 Total
  • Corrective
    104
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Leadership and high level objectives Establish/Maintain Documentation
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Monitoring and measurement Establish/Maintain Documentation
    Eliminate false positives in event logs and audit logs. CC ID 07047 Monitoring and measurement Log Management
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 Monitoring and measurement Investigate
    Erase payment applications when suspicious activity is confirmed. CC ID 12193 Monitoring and measurement Technical Security
    Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 Monitoring and measurement Establish/Maintain Documentation
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 Monitoring and measurement Monitor and Evaluate Occurrences
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 Monitoring and measurement Monitor and Evaluate Occurrences
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 Monitoring and measurement Monitor and Evaluate Occurrences
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 Monitoring and measurement Monitor and Evaluate Occurrences
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 Monitoring and measurement Monitor and Evaluate Occurrences
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Audits and risk management Establish/Maintain Documentation
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]
    Audits and risk management Establish/Maintain Documentation
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Technical security Communicate
    Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 Technical security Behavior
    Review and update accounts and access rights when notified of personnel status changes. CC ID 00788
    [The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change. § 9.2.6 Control]
    Technical security Behavior
    Remove inactive user accounts, as necessary. CC ID 00517 Technical security Technical Security
    Remove temporary user accounts, as necessary. CC ID 11839 Technical security Technical Security
    Implement out-of-band authentication, as necessary. CC ID 10606 Technical security Technical Security
    Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 Technical security Communicate
    Take appropriate action to address information flow anomalies. CC ID 12164 Technical security Investigate
    Quarantine data that fails security tests. CC ID 16500 Technical security Data and Information Management
    Revoke membership in the whitelist, as necessary. CC ID 13827 Technical security Establish/Maintain Documentation
    Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 Technical security Data and Information Management
    Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 Technical security Data and Information Management
    Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 Physical and environmental protection Physical and Environmental Protection
    Document all lost badges in a lost badge list. CC ID 12448 Physical and environmental protection Establish/Maintain Documentation
    Report changes in the continuity plan to senior management. CC ID 12757 Operational and Systems Continuity Communicate
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 Operational and Systems Continuity Systems Continuity
    Restore systems and environments to be operational. CC ID 13476 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain the continuity procedures. CC ID 14236 Operational and Systems Continuity Establish/Maintain Documentation
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Operational and Systems Continuity Systems Continuity
    Terminate user accounts when notified that an individual is terminated. CC ID 11614 Human Resources management Technical Security
    Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826
    [The access rights of all employees and external party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change. § 9.2.6 Control]
    Human Resources management Technical Security
    Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 Human Resources management Data and Information Management
    Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 Human Resources management Human Resources Management
    Conduct secure coding and development training for developers. CC ID 06822 Human Resources management Behavior
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [{implement} There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. § 7.2.3 Control]
    Human Resources management Behavior
    Measure policy compliance when reviewing the internal control framework. CC ID 06442
    [{security standards} Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. § 18.2.2 Control
    {security standards} Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. § 18.2.2 Control]
    Operational management Actionable Reports or Measurements
    Update operating procedures that contribute to user errors. CC ID 06935 Operational management Establish/Maintain Documentation
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Operational management Establish/Maintain Documentation
    Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052 Operational management Monitor and Evaluate Occurrences
    Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053 Operational management Monitor and Evaluate Occurrences
    Refrain from protecting physical assets when no longer required. CC ID 13484 Operational management Physical and Environmental Protection
    Determine the incident severity level when assessing the security incidents. CC ID 01650
    [Information security events should be assessed and it should be decided if they are to be classified as information security incidents. § 16.1.4 Control]
    Operational management Monitor and Evaluate Occurrences
    Assess all incidents to determine what information was accessed. CC ID 01226
    [Information security events should be assessed and it should be decided if they are to be classified as information security incidents. § 16.1.4 Control]
    Operational management Testing
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Operational management Monitor and Evaluate Occurrences
    Open a priority incident request after a security breach is detected. CC ID 04838 Operational management Testing
    Activate the incident response notification procedures after a security breach is detected. CC ID 04839 Operational management Testing
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 Operational management Communicate
    Respond when an integrity violation is detected, as necessary. CC ID 10678 Operational management Technical Security
    Shut down systems when an integrity violation is detected, as necessary. CC ID 10679 Operational management Technical Security
    Restart systems when an integrity violation is detected, as necessary. CC ID 10680 Operational management Technical Security
    Conduct forensic investigations in the event of a security compromise. CC ID 11951 Operational management Investigate
    Approve back-out plans, as necessary. CC ID 13627 Operational management Establish/Maintain Documentation
    Deploy software patches in accordance with organizational standards. CC ID 07032 Operational management Configuration
    Patch software. CC ID 11825 Operational management Technical Security
    Patch the operating system, as necessary. CC ID 11824 Operational management Technical Security
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Operational management Configuration
    Remove outdated software after software has been updated. CC ID 11792 Operational management Configuration
    Update computer firmware, as necessary. CC ID 11755 Operational management Configuration
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Operational management Configuration
    Mitigate the adverse effects of unauthorized changes. CC ID 12244 Operational management Business Processes
    Establish, implement, and maintain a change acceptance testing log. CC ID 06392 Operational management Establish/Maintain Documentation
    Document approved configuration deviations. CC ID 08711 Operational management Establish/Maintain Documentation
    Change the authenticator for shared accounts when the group membership changes. CC ID 14249 System hardening through configuration management Business Processes
    Configure the look-up secret authenticator to dispose of memorized secrets after their use. CC ID 13817 System hardening through configuration management Configuration
    Downgrade electronic storage media, as necessary. CC ID 10621 Records management Process or Activity
    Redesign business activities to support the system implementation. CC ID 01067 Systems design, build, and implementation Systems Design, Build, and Implementation
    Review and update the security architecture, as necessary. CC ID 14277 Systems design, build, and implementation Establish/Maintain Documentation
    Perform source code analysis at each milestone or quality gate. CC ID 06832 Systems design, build, and implementation Systems Design, Build, and Implementation
    Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434 Privacy protection for information and data Establish/Maintain Documentation
    Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 Privacy protection for information and data Records Management
    Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 Privacy protection for information and data Records Management
    Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 Privacy protection for information and data Establish/Maintain Documentation
    Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate private communications when required by law. CC ID 14335 Privacy protection for information and data Communicate
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 Privacy protection for information and data Communicate
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Privacy protection for information and data Records Management
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Privacy protection for information and data Communicate
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Privacy protection for information and data Communicate
    Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 Privacy protection for information and data Communicate
    Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 Privacy protection for information and data Communicate
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Privacy protection for information and data Monitor and Evaluate Occurrences
    Take appropriate action when a data leakage is discovered. CC ID 14716 Privacy protection for information and data Process or Activity
    Implement procedures to file privacy rights violation complaints. CC ID 00476 Privacy protection for information and data Data and Information Management
    File privacy rights violation complaints in writing. CC ID 00477 Privacy protection for information and data Establish/Maintain Documentation
    Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 Privacy protection for information and data Establish/Maintain Documentation
    Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 Privacy protection for information and data Behavior
    File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 Privacy protection for information and data Behavior
    Change or destroy any personal data that is incorrect. CC ID 00462 Privacy protection for information and data Data and Information Management
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Privacy protection for information and data Behavior
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Privacy protection for information and data Data and Information Management
    Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 Privacy protection for information and data Behavior
    Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 Privacy protection for information and data Behavior
    Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 Privacy protection for information and data Data and Information Management
    Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 Privacy protection for information and data Business Processes
    Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 Privacy protection for information and data Communicate
    Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 Privacy protection for information and data Establish/Maintain Documentation
    Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 Privacy protection for information and data Behavior
    Order the organization to change to be in compliance with applicable law. CC ID 00499 Privacy protection for information and data Behavior
    Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 Privacy protection for information and data Behavior
    Award damages based on applicable law. CC ID 00501 Privacy protection for information and data Behavior
    Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 Privacy protection for information and data Data and Information Management
  • Detective
    207
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Map in scope assets and in scope records to external requirements. CC ID 12189 Leadership and high level objectives Establish/Maintain Documentation
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain a compliance oversight committee. CC ID 00765 Leadership and high level objectives Establish Roles
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637
    [Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. § 12.4.1 Control]
    Monitoring and measurement Log Management
    Monitor and evaluate system telemetry data. CC ID 14929 Monitoring and measurement Actionable Reports or Measurements
    Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 Monitoring and measurement Technical Security
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitoring and measurement Monitor and Evaluate Occurrences
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Monitoring and measurement Human Resources Management
    Detect unauthorized access to systems. CC ID 06798 Monitoring and measurement Monitor and Evaluate Occurrences
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitoring and measurement Monitor and Evaluate Occurrences
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitoring and measurement Monitor and Evaluate Occurrences
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitoring and measurement Monitor and Evaluate Occurrences
    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 Monitoring and measurement Log Management
    Establish, implement, and maintain event logging procedures. CC ID 01335 Monitoring and measurement Log Management
    Review and update event logs and audit logs, as necessary. CC ID 00596
    [System administrator and system operator activities should be logged and the logs protected and regularly reviewed. § 12.4.3 Control
    Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. § 12.4.1 Control]
    Monitoring and measurement Log Management
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 Monitoring and measurement Log Management
    Identify cybersecurity events in event logs and audit logs. CC ID 13206 Monitoring and measurement Technical Security
    Enable logging for all systems that meet a traceability criteria. CC ID 00640 Monitoring and measurement Log Management
    Analyze firewall logs for the correct capturing of data. CC ID 00549 Monitoring and measurement Log Management
    Monitor and evaluate system performance. CC ID 00651 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor for and react to when suspicious activities are detected. CC ID 00586 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor and evaluate the effectiveness of detection tools. CC ID 13505 Monitoring and measurement Investigate
    Monitor and review retail payment activities, as necessary. CC ID 13541 Monitoring and measurement Monitor and Evaluate Occurrences
    Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 Monitoring and measurement Investigate
    Review retail payment service reports, as necessary. CC ID 13545 Monitoring and measurement Investigate
    Assess customer satisfaction. CC ID 00652 Monitoring and measurement Testing
    Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757 Monitoring and measurement Establish/Maintain Documentation
    Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 Monitoring and measurement Process or Activity
    Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor for and report when a software configuration is updated. CC ID 06746 Monitoring and measurement Monitor and Evaluate Occurrences
    Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor for firmware updates absent authorization. CC ID 10675 Monitoring and measurement Monitor and Evaluate Occurrences
    Implement file integrity monitoring. CC ID 01205 Monitoring and measurement Monitor and Evaluate Occurrences
    Identify unauthorized modifications during file integrity monitoring. CC ID 12096 Monitoring and measurement Technical Security
    Monitor and evaluate user account activity. CC ID 07066 Monitoring and measurement Monitor and Evaluate Occurrences
    Log account usage to determine dormant accounts. CC ID 12118 Monitoring and measurement Log Management
    Log account usage times. CC ID 07099 Monitoring and measurement Log Management
    Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 Monitoring and measurement Monitor and Evaluate Occurrences
    Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 Monitoring and measurement Monitor and Evaluate Occurrences
    Log account usage durations. CC ID 12117 Monitoring and measurement Monitor and Evaluate Occurrences
    Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 Monitoring and measurement Communicate
    Log Internet Protocol addresses used during logon. CC ID 07100 Monitoring and measurement Log Management
    Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 Monitoring and measurement Monitor and Evaluate Occurrences
    Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 Monitoring and measurement Communicate
    Perform vulnerability scans, as necessary. CC ID 11637 Monitoring and measurement Technical Security
    Identify and document security vulnerabilities. CC ID 11857
    [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]
    Monitoring and measurement Technical Security
    Rank discovered vulnerabilities. CC ID 11940 Monitoring and measurement Investigate
    Establish and maintain audit assertions, as necessary. CC ID 14871 Audits and risk management Establish/Maintain Documentation
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467
    [{technical vulnerabilities} Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. § 12.6.1 Control]
    Audits and risk management Audits and Risk Management
    Identify information system users. CC ID 12081 Technical security Technical Security
    Review user accounts. CC ID 00525 Technical security Technical Security
    Match user accounts to authorized parties. CC ID 12126 Technical security Configuration
    Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 Technical security Technical Security
    Review shared accounts. CC ID 11840 Technical security Technical Security
    Disallow application IDs from running as privileged users. CC ID 10050 Technical security Configuration
    Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 Technical security Testing
    Notify interested personnel when user accounts are added or deleted. CC ID 14327 Technical security Communicate
    Monitor and report on the organization's interconnectivity risk. CC ID 13172 Technical security Monitor and Evaluate Occurrences
    Perform content filtering scans on network traffic. CC ID 06761 Technical security Monitor and Evaluate Occurrences
    Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163 Technical security Investigate
    Perform content filtering scans on incoming and outgoing e-mail. CC ID 06733 Technical security Monitor and Evaluate Occurrences
    Establish, implement, and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information. CC ID 06734 Technical security Data and Information Management
    Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139 Technical security Technical Security
    Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved. CC ID 00560 Technical security Testing
    Monitor and evaluate all remote access usage. CC ID 00563 Technical security Monitor and Evaluate Occurrences
    Test cryptographic key management applications, as necessary. CC ID 04829 Technical security Testing
    Implement non-repudiation for transactions. CC ID 00567 Technical security Testing
    Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 Physical and environmental protection Monitor and Evaluate Occurrences
    Inspect telephones for eavesdropping devices. CC ID 02223 Physical and environmental protection Physical and Environmental Protection
    Detect anomalies in physical barriers. CC ID 13533 Physical and environmental protection Investigate
    Secure physical entry points with physical access controls or security guards. CC ID 01640 Physical and environmental protection Physical and Environmental Protection
    Test locks for physical security vulnerabilities. CC ID 04880 Physical and environmental protection Testing
    Lock all lockable equipment cabinets. CC ID 11673 Physical and environmental protection Physical and Environmental Protection
    Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 Physical and environmental protection Monitor and Evaluate Occurrences
    Report anomalies in the visitor log to appropriate personnel. CC ID 14755 Physical and environmental protection Investigate
    Log when the vault is accessed. CC ID 06725 Physical and environmental protection Log Management
    Log when the cabinet is accessed. CC ID 11674 Physical and environmental protection Log Management
    Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 Physical and environmental protection Monitor and Evaluate Occurrences
    Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 Physical and environmental protection Monitor and Evaluate Occurrences
    Monitor physical entry point alarms. CC ID 01639 Physical and environmental protection Physical and Environmental Protection
    Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 Physical and environmental protection Monitor and Evaluate Occurrences
    Monitor for alarmed security doors being propped open. CC ID 06684 Physical and environmental protection Monitor and Evaluate Occurrences
    Track restricted storage media while it is in transit. CC ID 00967 Physical and environmental protection Data and Information Management
    Test and inspect assets under full load working conditions. CC ID 06356 Physical and environmental protection Testing
    Monitor and review environmental protections. CC ID 12571 Physical and environmental protection Monitor and Evaluate Occurrences
    Install and maintain seismic detectors in critical facilities. CC ID 06364 Physical and environmental protection Physical and Environmental Protection
    Install and maintain an environment control monitoring system. CC ID 06370 Physical and environmental protection Monitor and Evaluate Occurrences
    Identify all stakeholders critical to the continuity of operations. CC ID 12741 Operational and Systems Continuity Systems Continuity
    Monitor and evaluate business continuity management system performance. CC ID 12410 Operational and Systems Continuity Monitor and Evaluate Occurrences
    Establish, implement, and maintain the organization's call tree. CC ID 01167 Operational and Systems Continuity Testing
    Determine the cause for the activation of the recovery plan. CC ID 13291 Operational and Systems Continuity Investigate
    Test the recovery plan, as necessary. CC ID 13290 Operational and Systems Continuity Testing
    Test the backup information, as necessary. CC ID 13303 Operational and Systems Continuity Testing
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Operational and Systems Continuity Establish/Maintain Documentation
    Determine which data elements to back up. CC ID 13483 Operational and Systems Continuity Data and Information Management
    Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 Operational and Systems Continuity Testing
    Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 Operational and Systems Continuity Systems Continuity
    Test backup media for media integrity and information integrity, as necessary. CC ID 01401
    [Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy. § 12.3.1 Control]
    Operational and Systems Continuity Testing
    Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 Operational and Systems Continuity Testing
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 Human Resources management Testing
    Perform a background check during personnel screening. CC ID 11758
    [Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. § 7.1.1 Control
    Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. § 7.1.1 Control]
    Human Resources management Human Resources Management
    Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 Human Resources management Human Resources Management
    Document all training in a training record. CC ID 01423 Human Resources management Establish/Maintain Documentation
    Conduct tests and evaluate training. CC ID 06672 Human Resources management Testing
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Human Resources management Training
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Human Resources management Training
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Human Resources management Monitor and Evaluate Occurrences
    Analyze and evaluate training records to improve the training program. CC ID 06380 Human Resources management Monitor and Evaluate Occurrences
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962 Operational management Establish/Maintain Documentation
    Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110 Operational management Technical Security
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 Operational management Testing
    Control and monitor all maintenance tools. CC ID 01432 Operational management Physical and Environmental Protection
    Conduct maintenance with authorized personnel. CC ID 01434 Operational management Testing
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203 Operational management Testing
    Test for detrimental environmental factors after a system is disposed. CC ID 06938 Operational management Testing
    Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886 Operational management Investigate
    Establish, implement, and maintain incident response procedures. CC ID 01206
    [Information security incidents should be responded to in accordance with the documented procedures. § 16.1.5 Control]
    Operational management Establish/Maintain Documentation
    Test proposed changes prior to their approval. CC ID 00548 Operational management Testing
    Examine all changes to ensure they correspond with the change request. CC ID 12345
    [Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. § 14.2.4 Control]
    Operational management Business Processes
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Operational management Process or Activity
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Operational management Investigate
    Collect data about the network environment when certifying the network. CC ID 13125 Operational management Investigate
    Review the patch log for missing patches. CC ID 13186 Operational management Technical Security
    Perform a patch test prior to deploying a patch. CC ID 00898 Operational management Testing
    Test software patches for any potential compromise of the system's security. CC ID 13175 Operational management Testing
    Review changes to computer firmware. CC ID 12226 Operational management Testing
    Certify changes to computer firmware are free of malicious logic. CC ID 12227 Operational management Testing
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 Operational management Technical Security
    Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 Operational management Establish/Maintain Documentation
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Operational management Testing
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541
    [Acceptance testing programs and related criteria should be established for new information systems, upgrades and new versions. § 14.2.9 Control]
    Operational management Testing
    Establish, implement, and maintain a configuration change log. CC ID 08710 Operational management Configuration
    Ensure the root account is the first entry in password files. CC ID 16323 System hardening through configuration management Data and Information Management
    Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system. CC ID 00645
    [System administrator and system operator activities should be logged and the logs protected and regularly reviewed. § 12.4.3 Control]
    System hardening through configuration management Log Management
    Define each system's preservation requirements for records and logs. CC ID 00904 Records management Establish/Maintain Documentation
    Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970
    [Media should be disposed of securely when no longer required, using formal procedures. § 8.3.2 Control]
    Records management Testing
    Maintain media sanitization equipment in operational condition. CC ID 00721 Records management Testing
    Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 Records management Records Management
    Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 Records management Monitor and Evaluate Occurrences
    Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 Records management Testing
    Provide audit trails for all pertinent records. CC ID 00372 Records management Establish/Maintain Documentation
    Identify electronic storage media that require downgrading. CC ID 10620 Records management Process or Activity
    Test the storage media downgrade for correct performance. CC ID 10623 Records management Testing
    Restrict system architects from being assigned as Administrators. CC ID 01064 Systems design, build, and implementation Testing
    Restrict the development team from having access to the production environment. CC ID 01066 Systems design, build, and implementation Testing
    Supervise and monitor outsourced development projects. CC ID 01096
    [The organization should supervise and monitor the activity of outsourced system development. § 14.2.7 Control]
    Systems design, build, and implementation Monitor and Evaluate Occurrences
    Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 Systems design, build, and implementation Monitor and Evaluate Occurrences
    Audit all modifications to the application being developed. CC ID 01614 Systems design, build, and implementation Testing
    Conduct a design review at each milestone or quality gate. CC ID 01087 Systems design, build, and implementation Systems Design, Build, and Implementation
    Reassess the system design after the product has been tested. CC ID 01088 Systems design, build, and implementation Testing
    Document the results of the source code analysis. CC ID 14310 Systems design, build, and implementation Process or Activity
    Monitor the development environment for when malicious code is discovered. CC ID 06396 Systems design, build, and implementation Systems Design, Build, and Implementation
    Perform Quality Management on all newly developed or modified systems. CC ID 01100 Systems design, build, and implementation Testing
    Require a data protection impact assessment when profiling the data subject. CC ID 12680 Privacy protection for information and data Process or Activity
    Document privacy policies in clearly written and easily understood language. CC ID 00376 Privacy protection for information and data Establish/Maintain Documentation
    Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 Privacy protection for information and data Behavior
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Behavior
    Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 Privacy protection for information and data Process or Activity
    Analyze requirements for processing personal data in contracts. CC ID 12550 Privacy protection for information and data Investigate
    Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 Privacy protection for information and data Data and Information Management
    Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 Privacy protection for information and data Establish/Maintain Documentation
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Privacy protection for information and data Data and Information Management
    Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 Privacy protection for information and data Business Processes
    Confirm the data quality of personal data collected from third parties. CC ID 13510 Privacy protection for information and data Investigate
    Review the methods for collecting personal data, as necessary. CC ID 13511 Privacy protection for information and data Investigate
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Privacy protection for information and data Testing
    Conduct personal data risk assessments. CC ID 00357 Privacy protection for information and data Testing
    Establish, implement, and maintain suspicious document procedures. CC ID 04852 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 Privacy protection for information and data Data and Information Management
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 Privacy protection for information and data Monitor and Evaluate Occurrences
    Perform an identity check prior to approving an account change request. CC ID 13670 Privacy protection for information and data Investigate
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Privacy protection for information and data Behavior
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Privacy protection for information and data Data and Information Management
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Privacy protection for information and data Log Management
    Log dates for account name changes or address changes. CC ID 04876 Privacy protection for information and data Log Management
    Review accounts that are changed for additional user requests. CC ID 11846 Privacy protection for information and data Monitor and Evaluate Occurrences
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Privacy protection for information and data Data and Information Management
    Search the Internet for evidence of data leakage. CC ID 10419 Privacy protection for information and data Process or Activity
    Review monitored websites for data leakage. CC ID 10593 Privacy protection for information and data Monitor and Evaluate Occurrences
    Conduct internal data processing audits. CC ID 00374 Privacy protection for information and data Testing
    Review compliance with the organization's privacy objectives. CC ID 13490 Privacy protection for information and data Human Resources Management
    Investigate privacy rights violation complaints. CC ID 00480 Privacy protection for information and data Behavior
    Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 Privacy protection for information and data Behavior
    Investigate privacy rights violation complaints in private. CC ID 00492 Privacy protection for information and data Behavior
    Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 Privacy protection for information and data Behavior
    Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 Privacy protection for information and data Behavior
    Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 Privacy protection for information and data Testing
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794
    [All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information. § 15.1.2 Control]
    Third Party and supply chain oversight Process or Activity
    Include a termination provision clause in third party contracts. CC ID 01367 Third Party and supply chain oversight Establish/Maintain Documentation
    Include third party requirements for personnel security in third party contracts. CC ID 00790 Third Party and supply chain oversight Testing
    Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 Third Party and supply chain oversight Testing
    Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 Third Party and supply chain oversight Testing
    Establish the third party's service continuity. CC ID 00797 Third Party and supply chain oversight Testing
    Determine the adequacy of a third party's alternate site preparations. CC ID 06879 Third Party and supply chain oversight Testing
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 Third Party and supply chain oversight Data and Information Management
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 Third Party and supply chain oversight Testing
    Perform risk assessments of third parties, as necessary. CC ID 06454 Third Party and supply chain oversight Testing
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Process or Activity
    Request attestation of compliance from third parties. CC ID 12067 Third Party and supply chain oversight Establish/Maintain Documentation
    Assess the effectiveness of third party services provided to the organization. CC ID 13142 Third Party and supply chain oversight Business Processes
    Monitor third parties for performance and effectiveness, as necessary. CC ID 00799
    [Organizations should regularly monitor, review and audit supplier service delivery. § 15.2.1 Control]
    Third Party and supply chain oversight Monitor and Evaluate Occurrences
    Monitor third parties' financial conditions. CC ID 13170 Third Party and supply chain oversight Monitor and Evaluate Occurrences
  • IT Impact Zone
    14
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Preventive
    2470
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Analyze organizational objectives, functions, and activities. CC ID 00598 Leadership and high level objectives Monitor and Evaluate Occurrences
    Establish, implement, and maintain organizational objectives. CC ID 09959 Leadership and high level objectives Establish/Maintain Documentation
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 Leadership and high level objectives Establish/Maintain Documentation
    Review the organization's approach to managing information security, as necessary. CC ID 12005
    [The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur. § 18.2.1 Control]
    Leadership and high level objectives Business Processes
    Establish, implement, and maintain an information classification standard. CC ID 00601 Leadership and high level objectives Establish/Maintain Documentation
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997
    [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]
    Leadership and high level objectives Data and Information Management
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996
    [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]
    Leadership and high level objectives Data and Information Management
    Classify the value of information in the information classification standard. CC ID 11995
    [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]
    Leadership and high level objectives Data and Information Management
    Classify the legal requirements of information in the information classification standard. CC ID 11994
    [Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. § 8.2.1 Control]
    Leadership and high level objectives Data and Information Management
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Leadership and high level objectives Establish/Maintain Documentation
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688
    [Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. § 8.1.1 Control
    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control
    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control]
    Leadership and high level objectives Business Processes
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain an Authority Document list. CC ID 07113
    [All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control
    All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. § 18.1.1 Control]
    Leadership and high level objectives Establish/Maintain Documentation
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Leadership and high level objectives Communicate
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Leadership and high level objectives Establish/Maintain Documentation
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Leadership and high level objectives Establish/Maintain Documentation
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Leadership and high level objectives Establish/Maintain Documentation
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Leadership and high level objectives Establish/Maintain Documentation
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Leadership and high level objectives Establish/Maintain Documentation
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Leadership and high level objectives Establish/Maintain Documentation
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Leadership and high level objectives Establish/Maintain Documentation
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Leadership and high level objectives Establish/Maintain Documentation
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Leadership and high level objectives Establish/Maintain Documentation
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Leadership and high level objectives Establish Roles
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Leadership and high level objectives Establish Roles
    Address Information Security during the business planning processes. CC ID 06495
    [Information security should be addressed in project management, regardless of the type of the project. § 6.1.5 Control]
    Leadership and high level objectives Data and Information Management
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain an audit and accountability policy. CC ID 14035 Monitoring and measurement Establish/Maintain Documentation
    Include compliance requirements in the audit and accountability policy. CC ID 14103 Monitoring and measurement Establish/Maintain Documentation
    Include coordination amongst entities in the audit and accountability policy. CC ID 14102 Monitoring and measurement Establish/Maintain Documentation
    Include the purpose in the audit and accountability policy. CC ID 14100 Monitoring and measurement Establish/Maintain Documentation
    Include roles and responsibilities in the audit and accountability policy. CC ID 14098 Monitoring and measurement Establish/Maintain Documentation
    Include management commitment in the audit and accountability policy. CC ID 14097 Monitoring and measurement Establish/Maintain Documentation
    Include the scope in the audit and accountability policy. CC ID 14096 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 Monitoring and measurement Communicate
    Establish, implement, and maintain audit and accountability procedures. CC ID 14057 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 Monitoring and measurement Communicate
    Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312
    [Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. § 12.4.1 Control]
    Monitoring and measurement Log Management
    Review and approve the use of continuous security management systems. CC ID 13181 Monitoring and measurement Process or Activity
    Protect continuous security management systems from unauthorized use. CC ID 13097 Monitoring and measurement Configuration
    Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 Monitoring and measurement Establish/Maintain Documentation
    Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 Monitoring and measurement Configuration
    Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 Monitoring and measurement Behavior
    Do not intercept communications of any kind when providing a service to clients. CC ID 09985 Monitoring and measurement Behavior
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitoring and measurement Monitor and Evaluate Occurrences
    Address operational anomalies within the incident management system. CC ID 11633 Monitoring and measurement Audits and Risk Management
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Monitoring and measurement Audits and Risk Management
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitoring and measurement Monitor and Evaluate Occurrences
    Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 Monitoring and measurement Technical Security
    Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 Monitoring and measurement Technical Security
    Implement detonation chambers, where appropriate. CC ID 10670 Monitoring and measurement Technical Security
    Define and assign log management roles and responsibilities. CC ID 06311 Monitoring and measurement Establish Roles
    Document and communicate the log locations to the owning entity. CC ID 12047 Monitoring and measurement Log Management
    Make logs available for review by the owning entity. CC ID 12046 Monitoring and measurement Log Management
    Establish, implement, and maintain an event logging policy. CC ID 15217 Monitoring and measurement Establish/Maintain Documentation
    Include the system components that generate audit records in the event logging procedures. CC ID 16426 Monitoring and measurement Data and Information Management
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 Monitoring and measurement Log Management
    Protect the event logs from failure. CC ID 06290 Monitoring and measurement Log Management
    Overwrite the oldest records when audit logging fails. CC ID 14308 Monitoring and measurement Data and Information Management
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 Monitoring and measurement Testing
    Include identity information of suspects in the suspicious activity report. CC ID 16648 Monitoring and measurement Establish/Maintain Documentation
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 Monitoring and measurement Audits and Risk Management
    Reproduce the event log if a log failure is captured. CC ID 01426 Monitoring and measurement Log Management
    Document the event information to be logged in the event information log specification. CC ID 00639 Monitoring and measurement Configuration
    Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 Monitoring and measurement Configuration
    Enable and configure logging on all network access controls. CC ID 01963 Monitoring and measurement Configuration
    Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340
    [The clocks of all relevant information processing systems within an organization or security domain should be synchronised to a single reference time source. § 12.4.4 Control]
    Monitoring and measurement Configuration
    Centralize network time servers to as few as practical. CC ID 06308 Monitoring and measurement Configuration
    Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 Monitoring and measurement Communicate
    Define the frequency to capture and log events. CC ID 06313 Monitoring and measurement Log Management
    Include logging frequencies in the event logging procedures. CC ID 00642 Monitoring and measurement Log Management
    Review and update the list of auditable events in the event logging procedures. CC ID 10097 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 Monitoring and measurement Communicate
    Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 Monitoring and measurement Communicate
    Establish, implement, and maintain network monitoring operations. CC ID 16444 Monitoring and measurement Monitor and Evaluate Occurrences
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitoring and measurement Monitor and Evaluate Occurrences
    Allow expected changes during file integrity monitoring. CC ID 12090 Monitoring and measurement Technical Security
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitoring and measurement Monitor and Evaluate Occurrences
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Monitoring and measurement Establish/Maintain Documentation
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 Monitoring and measurement Process or Activity
    Develop and maintain a usage profile for each user account. CC ID 07067 Monitoring and measurement Technical Security
    Establish, implement, and maintain a testing program. CC ID 00654 Monitoring and measurement Behavior
    Establish, implement, and maintain a vulnerability management program. CC ID 15721 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a log management program. CC ID 00673 Monitoring and measurement Establish/Maintain Documentation
    Protect logs from unauthorized activity. CC ID 01345
    [System administrator and system operator activities should be logged and the logs protected and regularly reviewed. § 12.4.3 Control
    Logging facilities and log information should be protected against tampering and unauthorized access. § 12.4.2 Control]
    Monitoring and measurement Log Management
    Establish, implement, and maintain an audit program. CC ID 00684 Audits and risk management Establish/Maintain Documentation
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes. § 12.7.1 Control]
    Audits and risk management Behavior
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965
    [Audit requirements and activities involving verification of operational systems should be carefully planned and agreed to minimize disruptions to business processes. § 12.7.1 Control]
    Audits and risk management Establish/Maintain Documentation
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 Audits and risk management Establish/Maintain Documentation
    Include third party assets in the audit scope. CC ID 16504 Audits and risk management Audits and Risk Management
    Include audit subject matter in the audit program. CC ID 07103 Audits and risk management Establish/Maintain Documentation
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Audits and risk management Investigate
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Audits and risk management Establish/Maintain Documentation
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Audits and risk management Establish/Maintain Documentation
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Audits and risk management Establish/Maintain Documentation
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Audits and risk management Establish/Maintain Documentation
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and risk management Audits and Risk Management
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Audits and risk management Establish/Maintain Documentation
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Audits and Risk Management
    Include in scope information in the audit program. CC ID 16198 Audits and risk management Establish/Maintain Documentation
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Audits and risk management Establish/Maintain Documentation
    Provide a representation letter in support of the audit assertion. CC ID 07158 Audits and risk management Establish/Maintain Documentation
    Include the date of the audit in the representation letter. CC ID 16517 Audits and risk management Audits and Risk Management
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Audits and risk management Establish/Maintain Documentation
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Audits and risk management Establish/Maintain Documentation
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Audits and risk management Establish/Maintain Documentation
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Audits and risk management Establish/Maintain Documentation
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Audits and risk management Establish/Maintain Documentation
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Audits and risk management Establish/Maintain Documentation
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Audits and risk management Establish/Maintain Documentation
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Audits and risk management Establish/Maintain Documentation
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Audits and risk management Establish/Maintain Documentation
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Audits and risk management Establish/Maintain Documentation
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Audits and risk management Establish/Maintain Documentation
    Include an in scope system description in the audit assertion. CC ID 14872 Audits and risk management Establish/Maintain Documentation
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Audits and risk management Establish/Maintain Documentation
    Include investigations and legal proceedings in the audit assertion. CC ID 16846 Audits and risk management Establish/Maintain Documentation
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Audits and risk management Establish/Maintain Documentation
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Audits and risk management Establish/Maintain Documentation
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Audits and risk management Establish/Maintain Documentation
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Audits and risk management Establish/Maintain Documentation
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Audits and risk management Establish/Maintain Documentation
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Audits and risk management Establish/Maintain Documentation
    Include the in scope procedures in the audit assertion. CC ID 06972 Audits and risk management Establish/Maintain Documentation
    Include the in scope records produced in the audit assertion. CC ID 06968 Audits and risk management Establish/Maintain Documentation
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Audits and risk management Establish/Maintain Documentation
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Audits and risk management Establish/Maintain Documentation
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Audits and risk management Establish/Maintain Documentation
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Audits and risk management Establish/Maintain Documentation
    Include in scope change controls in the audit assertion. CC ID 06976 Audits and risk management Establish/Maintain Documentation
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Audits and risk management Establish/Maintain Documentation
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Audits and risk management Communicate
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Audits and risk management Establish/Maintain Documentation
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Audits and risk management Establish/Maintain Documentation
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 Audits and risk management Establish/Maintain Documentation
    Include the expectations for the audit report in the audit terms. CC ID 07148 Audits and risk management Establish/Maintain Documentation
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a risk management program. CC ID 12051 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Establish/Maintain Documentation
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Audits and Risk Management
    Analyze and quantify the risks to in scope systems and information. CC ID 00701 Audits and risk management Audits and Risk Management
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and risk management Audits and Risk Management
    Review and approve the risk assessment findings. CC ID 06485 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain access control policies. CC ID 00512
    [{business requirements} An access control policy should be established, documented and reviewed based on business and information security requirements. § 9.1.1 Control
    {business requirements} An access control policy should be established, documented and reviewed based on business and information security requirements. § 9.1.1 Control]
    Technical security Establish/Maintain Documentation
    Include compliance requirements in the access control policy. CC ID 14006 Technical security Establish/Maintain Documentation
    Include coordination amongst entities in the access control policy. CC ID 14005 Technical security Establish/Maintain Documentation
    Include management commitment in the access control policy. CC ID 14004 Technical security Establish/Maintain Documentation
    Include roles and responsibilities in the access control policy. CC ID 14003 Technical security Establish/Maintain Documentation
    Include the scope in the access control policy. CC ID 14002 Technical security Establish/Maintain Documentation
    Include the purpose in the access control policy. CC ID 14001 Technical security Establish/Maintain Documentation
    Document the business need justification for user accounts. CC ID 15490 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 Technical security Establish/Maintain Documentation
    Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an access rights management plan. CC ID 00513
    [A formal user registration and de-registration process should be implemented to enable assignment of access rights. § 9.2.1 Control]
    Technical security Establish/Maintain Documentation
    Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 Technical security Technical Security
    Inventory all user accounts. CC ID 13732 Technical security Establish/Maintain Documentation
    Establish and maintain contact information for user accounts, as necessary. CC ID 15418 Technical security Data and Information Management
    Control access rights to organizational assets. CC ID 00004
    [The allocation and use of privileged access rights should be restricted and controlled. § 9.2.3 Control
    Access to information and application system functions should be restricted in accordance with the access control policy. § 9.4.1 Control]
    Technical security Technical Security
    Configure access control lists in accordance with organizational standards. CC ID 16465 Technical security Configuration
    Add all devices requiring access control to the Access Control List. CC ID 06264 Technical security Establish/Maintain Documentation
    Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 Technical security Technical Security
    Define roles for information systems. CC ID 12454 Technical security Human Resources Management
    Define access needs for each role assigned to an information system. CC ID 12455 Technical security Human Resources Management
    Define access needs for each system component of an information system. CC ID 12456 Technical security Technical Security
    Define the level of privilege required for each system component of an information system. CC ID 12457 Technical security Technical Security
    Establish access rights based on least privilege. CC ID 01411
    [The allocation and use of privileged access rights should be restricted and controlled. § 9.2.3 Control]
    Technical security Technical Security
    Assign user permissions based on job responsibilities. CC ID 00538 Technical security Technical Security
    Assign user privileges after they have management sign off. CC ID 00542 Technical security Technical Security
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767
    [Groups of information services, users and information systems should be segregated on networks. § 13.1.3 Control]
    Technical security Configuration
    Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 Technical security Technical Security
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Technical security Configuration
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical security Technical Security
    Establish, implement, and maintain session lock capabilities. CC ID 01417 Technical security Configuration
    Limit concurrent sessions according to account type. CC ID 01416 Technical security Configuration
    Establish session authenticity through Transport Layer Security. CC ID 01627 Technical security Technical Security
    Configure the "tlsverify" argument to organizational standards. CC ID 14460 Technical security Configuration
    Configure the "tlscacert" argument to organizational standards. CC ID 14521 Technical security Configuration
    Configure the "tlscert" argument to organizational standards. CC ID 14520 Technical security Configuration
    Configure the "tlskey" argument to organizational standards. CC ID 14519 Technical security Configuration
    Enable access control for objects and users on each system. CC ID 04553
    [Users should only be provided with access to the network and network services that they have been specifically authorized to use. § 9.1.2 Control]
    Technical security Configuration
    Include all system components in the access control system. CC ID 11939 Technical security Technical Security
    Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 Technical security Process or Activity
    Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 Technical security Technical Security
    Enable attribute-based access control for objects and users on information systems. CC ID 16351 Technical security Technical Security
    Enable role-based access control for objects and users on information systems. CC ID 12458 Technical security Technical Security
    Include the objects and users subject to access control in the security policy. CC ID 11836 Technical security Establish/Maintain Documentation
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Technical security Establish Roles
    Enforce access restrictions for change control. CC ID 01428 Technical security Technical Security
    Enforce access restrictions for restricted data. CC ID 01921 Technical security Data and Information Management
    Permit a limited set of user actions absent identification and authentication. CC ID 04849 Technical security Technical Security
    Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 Technical security Technical Security
    Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 Technical security Establish/Maintain Documentation
    Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 Technical security Establish/Maintain Documentation
    Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 Technical security Technical Security
    Display previous logon information in the logon banner. CC ID 01415 Technical security Configuration
    Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 Technical security Establish/Maintain Documentation
    Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 Technical security Technical Security
    Control user privileges. CC ID 11665 Technical security Technical Security
    Review all user privileges, as necessary. CC ID 06784
    [Asset owners should review users’ access rights at regular intervals. § 9.2.5 Control]
    Technical security Technical Security
    Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 Technical security Configuration
    Change authenticators after personnel status changes. CC ID 12284 Technical security Human Resources Management
    Review each user's access capabilities when their role changes. CC ID 00524 Technical security Technical Security
    Establish and maintain a Digital Rights Management program. CC ID 07093 Technical security Establish/Maintain Documentation
    Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 Technical security Technical Security
    Establish, implement, and maintain User Access Management procedures. CC ID 00514
    [A formal user access provisioning process should be implemented to assign or revoke access rights for all user types to all systems and services. § 9.2.2 Control]
    Technical security Technical Security
    Establish, implement, and maintain an authority for access authorization list. CC ID 06782 Technical security Establish/Maintain Documentation
    Review and approve logical access to all assets based upon organizational policies. CC ID 06641 Technical security Technical Security
    Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 Technical security Technical Security
    Assign roles and responsibilities for administering user account management. CC ID 11900 Technical security Human Resources Management
    Automate access control methods, as necessary. CC ID 11838 Technical security Technical Security
    Automate Access Control Systems, as necessary. CC ID 06854 Technical security Technical Security
    Refrain from storing logon credentials for third party applications. CC ID 13690 Technical security Technical Security
    Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 Technical security Technical Security
    Establish, implement, and maintain a password policy. CC ID 16346 Technical security Establish/Maintain Documentation
    Enforce the password policy. CC ID 16347 Technical security Technical Security
    Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 Technical security Establish/Maintain Documentation
    Limit superuser accounts to designated System Administrators. CC ID 06766 Technical security Configuration
    Enforce usage restrictions for superuser accounts. CC ID 07064 Technical security Technical Security
    Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 Technical security Technical Security
    Protect and manage biometric systems and biometric data. CC ID 01261 Technical security Technical Security
    Establish, implement, and maintain biometric collection procedures. CC ID 15419 Technical security Establish/Maintain Documentation
    Document the business need justification for authentication data storage. CC ID 06325 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain access control procedures. CC ID 11663
    [Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure. § 9.4.2 Control]
    Technical security Establish/Maintain Documentation
    Grant access to authorized personnel or systems. CC ID 12186 Technical security Configuration
    Document approving and granting access in the access control log. CC ID 06786 Technical security Establish/Maintain Documentation
    Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 Technical security Communicate
    Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 Technical security Establish/Maintain Documentation
    Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 Technical security Establish/Maintain Documentation
    Include the date and time that access was reviewed in the system record. CC ID 16416 Technical security Data and Information Management
    Include the date and time that access rights were changed in the system record. CC ID 16415 Technical security Establish/Maintain Documentation
    Identify and control all network access controls. CC ID 00529 Technical security Technical Security
    Establish, implement, and maintain a network configuration standard. CC ID 00530 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain a network security policy. CC ID 06440
    [Networks should be managed and controlled to protect information in systems and applications. § 13.1.1 Control]
    Technical security Establish/Maintain Documentation
    Include compliance requirements in the network security policy. CC ID 14205 Technical security Establish/Maintain Documentation
    Include coordination amongst entities in the network security policy. CC ID 14204 Technical security Establish/Maintain Documentation
    Include management commitment in the network security policy. CC ID 14203 Technical security Establish/Maintain Documentation
    Include roles and responsibilities in the network security policy. CC ID 14202 Technical security Establish/Maintain Documentation
    Include the scope in the network security policy. CC ID 14201 Technical security Establish/Maintain Documentation
    Include the purpose in the network security policy. CC ID 14200 Technical security Establish/Maintain Documentation
    Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 Technical security Communicate
    Establish, implement, and maintain system and communications protection procedures. CC ID 14052 Technical security Establish/Maintain Documentation
    Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 Technical security Communicate
    Establish, implement, and maintain a wireless networking policy. CC ID 06732 Technical security Establish/Maintain Documentation
    Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 Technical security Establish/Maintain Documentation
    Secure the Domain Name System. CC ID 00540 Technical security Configuration
    Implement segregation of duties. CC ID 11843
    [Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. § 6.1.2 Control]
    Technical security Technical Security
    Enforce information flow control. CC ID 11781
    [{data transfer policies} {data transfer procedures} {data transfer controls} Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. § 13.2.1 Control]
    Technical security Monitor and Evaluate Occurrences
    Monitor information flows for anomalies. CC ID 16365 Technical security Monitor and Evaluate Occurrences
    Establish, implement, and maintain information flow control configuration standards. CC ID 01924 Technical security Establish/Maintain Documentation
    Restrict traffic or information flow based on the node type. CC ID 16396 Technical security Technical Security
    Restrict traffic or information flow based on the destination address. CC ID 16378 Technical security Technical Security
    Restrict traffic or information flow based on the origination address. CC ID 16484 Technical security Technical Security
    Assign appropriate roles for enabling or disabling information flow controls. CC ID 06760 Technical security Establish Roles
    Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 Technical security Testing
    Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 Technical security Establish/Maintain Documentation
    Configure network flow monitoring to organizational standards. CC ID 16364 Technical security Configuration
    Develop and implement a content filtering word and phrase library. CC ID 07071 Technical security Establish/Maintain Documentation
    Use content filtering scans to identify information flows by data type specification. CC ID 06762 Technical security Technical Security
    Use content filtering scans to identify information flows by data type usage. CC ID 11818 Technical security Technical Security
    Prevent encrypted data from bypassing content filtering mechanisms. CC ID 06758 Technical security Technical Security
    Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists. CC ID 12128 Technical security Technical Security
    Constrain the information flow of restricted data or restricted information. CC ID 06763 Technical security Data and Information Management
    Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 Technical security Data and Information Management
    Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 Technical security Data and Information Management
    Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 Technical security Data and Information Management
    Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410
    [{data transfer policies} {data transfer procedures} {data transfer controls} Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. § 13.2.1 Control]
    Technical security Establish/Maintain Documentation
    Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923 Technical security Data and Information Management
    Establish, implement, and maintain a document printing policy. CC ID 14384 Technical security Establish/Maintain Documentation
    Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain information flow procedures. CC ID 04542
    [{data transfer policies} {data transfer procedures} {data transfer controls} Formal transfer policies, procedures and controls should be in place to protect the transfer of information through the use of all types of communication facilities. § 13.2.1 Control]
    Technical security Establish/Maintain Documentation
    Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 Technical security Data and Information Management
    Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 Technical security Data and Information Management
    Establish, implement, and maintain information exchange procedures. CC ID 11782 Technical security Establish/Maintain Documentation
    Perform content sanitization on data-in-transit. CC ID 16512 Technical security Data and Information Management
    Perform content conversion on data-in-transit. CC ID 16510 Technical security Data and Information Management
    Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 Technical security Data and Information Management
    Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 Technical security Data and Information Management
    Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 Technical security Data and Information Management
    Review and approve information exchange system connections. CC ID 07143 Technical security Technical Security
    Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 Technical security Log Management
    Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 Technical security Technical Security
    Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107 Technical security Technical Security
    Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 Technical security Establish/Maintain Documentation
    Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 Technical security Configuration
    Block uncategorized sites using URL filtering. CC ID 12140 Technical security Technical Security
    Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234 Technical security Data and Information Management
    Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 Technical security Establish/Maintain Documentation
    Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094 Technical security Behavior
    Control all methods of remote access and teleworking. CC ID 00559
    [A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites. § 6.2.2 Control]
    Technical security Technical Security
    Assign virtual escorting to authorized personnel. CC ID 16440 Technical security Process or Activity
    Establish, implement, and maintain a remote access and teleworking program. CC ID 04545
    [A policy and supporting security measures should be implemented to protect information accessed, processed or stored at teleworking sites. § 6.2.2 Control]
    Technical security Establish/Maintain Documentation
    Include information security requirements in the remote access and teleworking program. CC ID 15704 Technical security Establish/Maintain Documentation
    Refrain from allowing remote users to copy files to remote devices. CC ID 06792 Technical security Technical Security
    Control remote administration in accordance with organizational standards. CC ID 04459 Technical security Configuration
    Control remote access through a network access control. CC ID 01421 Technical security Technical Security
    Install and maintain remote control software and other remote control mechanisms on critical systems. CC ID 06371 Technical security Configuration
    Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324 Technical security Technical Security
    Employ multifactor authentication for remote access to the organization's network. CC ID 12505 Technical security Technical Security
    Implement multifactor authentication techniques. CC ID 00561 Technical security Configuration
    Implement phishing-resistant multifactor authentication techniques. CC ID 16541 Technical security Technical Security
    Document and approve requests to bypass multifactor authentication. CC ID 15464 Technical security Establish/Maintain Documentation
    Limit the source addresses from which remote administration is performed. CC ID 16393 Technical security Technical Security
    Protect remote access accounts with encryption. CC ID 00562 Technical security Configuration
    Manage the use of encryption controls and cryptographic controls. CC ID 00570
    [Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations. § 18.1.5 Control]
    Technical security Technical Security
    Comply with the encryption laws of the local country. CC ID 16377 Technical security Business Processes
    Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 Technical security Establish/Maintain Documentation
    Define the cryptographic boundaries. CC ID 06543 Technical security Establish/Maintain Documentation
    Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 Technical security Establish/Maintain Documentation
    Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 Technical security Establish/Maintain Documentation
    Implement the documented cryptographic module security functions. CC ID 06755 Technical security Data and Information Management
    Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 Technical security Establish/Maintain Documentation
    Document the operation of the cryptographic module. CC ID 06546 Technical security Establish/Maintain Documentation
    Employ cryptographic controls that comply with applicable requirements. CC ID 12491 Technical security Technical Security
    Establish, implement, and maintain digital signatures. CC ID 13828 Technical security Data and Information Management
    Include the expiration date in digital signatures. CC ID 13833 Technical security Data and Information Management
    Include audience restrictions in digital signatures. CC ID 13834 Technical security Data and Information Management
    Include the subject in digital signatures. CC ID 13832 Technical security Data and Information Management
    Include the issuer in digital signatures. CC ID 13831 Technical security Data and Information Management
    Include identifiers in the digital signature. CC ID 13829 Technical security Data and Information Management
    Generate and protect a secret random number for each digital signature. CC ID 06577 Technical security Establish/Maintain Documentation
    Establish the security strength requirements for the digital signature process. CC ID 06578 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546
    [A policy on the use of cryptographic controls for protection of information should be developed and implemented. § 10.1.1 Control
    A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle. § 10.1.2 Control]
    Technical security Establish/Maintain Documentation
    Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 Technical security Configuration
    Encrypt in scope data or in scope information, as necessary. CC ID 04824 Technical security Data and Information Management
    Digitally sign records and data, as necessary. CC ID 16507 Technical security Data and Information Management
    Make key usage for data fields unique for each device. CC ID 04828 Technical security Technical Security
    Decrypt restricted data for the minimum time required. CC ID 12308 Technical security Data and Information Management
    Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 Technical security Data and Information Management
    Accept only trusted keys and/or certificates. CC ID 11988 Technical security Technical Security
    Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 Technical security Data and Information Management
    Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 Technical security Process or Activity
    Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 Technical security Process or Activity
    Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 Technical security Communicate
    Define the format of the biometric data on identification cards or badges. CC ID 06586 Technical security Process or Activity
    Protect salt values and hash values in accordance with organizational standards. CC ID 16471 Technical security Data and Information Management
    Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 Technical security Establish/Maintain Documentation
    Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 Technical security Communicate
    Establish, implement, and maintain encryption management procedures. CC ID 15475 Technical security Establish/Maintain Documentation
    Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 Technical security Establish Roles
    Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 Technical security Establish/Maintain Documentation
    Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 Technical security Communicate
    Bind keys to each identity. CC ID 12337 Technical security Technical Security
    Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 Technical security Establish/Maintain Documentation
    Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 Technical security Establish/Maintain Documentation
    Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 Technical security Data and Information Management
    Generate strong cryptographic keys. CC ID 01299 Technical security Data and Information Management
    Generate unique cryptographic keys for each user. CC ID 12169 Technical security Technical Security
    Use approved random number generators for creating cryptographic keys. CC ID 06574 Technical security Data and Information Management
    Implement decryption keys so that they are not linked to user accounts. CC ID 06851 Technical security Technical Security
    Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 Technical security Establish/Maintain Documentation
    Disseminate and communicate cryptographic keys securely. CC ID 01300 Technical security Data and Information Management
    Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 Technical security Data and Information Management
    Store cryptographic keys securely. CC ID 01298 Technical security Data and Information Management
    Restrict access to cryptographic keys. CC ID 01297 Technical security Data and Information Management
    Store cryptographic keys in encrypted format. CC ID 06084 Technical security Data and Information Management
    Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 Technical security Technical Security
    Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 Technical security Establish/Maintain Documentation
    Change cryptographic keys in accordance with organizational standards. CC ID 01302 Technical security Data and Information Management
    Destroy cryptographic keys promptly after the retention period. CC ID 01303 Technical security Data and Information Management
    Control cryptographic keys with split knowledge and dual control. CC ID 01304 Technical security Data and Information Management
    Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 Technical security Data and Information Management
    Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 Technical security Technical Security
    Archive outdated cryptographic keys. CC ID 06884 Technical security Data and Information Management
    Archive revoked cryptographic keys. CC ID 11819 Technical security Data and Information Management
    Require key custodians to sign the cryptographic key management policy. CC ID 01308 Technical security Establish/Maintain Documentation
    Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 Technical security Human Resources Management
    Manage the digital signature cryptographic key pair. CC ID 06576 Technical security Data and Information Management
    Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 Technical security Establish/Maintain Documentation
    Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 Technical security Establish Roles
    Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 Technical security Establish/Maintain Documentation
    Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 Technical security Establish/Maintain Documentation
    Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 Technical security Establish/Maintain Documentation
    Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 Technical security Establish/Maintain Documentation
    Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 Technical security Establish/Maintain Documentation
    Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 Technical security Technical Security
    Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 Technical security Technical Security
    Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 Technical security Establish/Maintain Documentation
    Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 Technical security Establish/Maintain Documentation
    Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 Technical security Establish/Maintain Documentation
    Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 Technical security Establish/Maintain Documentation
    Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 Technical security Technical Security
    Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 Technical security Records Management
    Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 Technical security Technical Security
    Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 Technical security Technical Security
    Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 Technical security Technical Security
    Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 Technical security Configuration
    Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 Technical security Technical Security
    Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 Technical security Technical Security
    Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 Technical security Establish/Maintain Documentation
    Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 Technical security Technical Security
    Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 Technical security Technical Security
    Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021
    [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]
    Technical security Technical Security
    Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020
    [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]
    Technical security Technical Security
    Protect application services information transmitted over a public network from contract disputes. CC ID 12019
    [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]
    Technical security Technical Security
    Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018
    [{unauthorized modification} Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. § 14.1.2 Control]
    Technical security Technical Security
    Establish, implement, and maintain a malicious code protection program. CC ID 00574 Technical security Establish/Maintain Documentation
    Install security and protection software, as necessary. CC ID 00575
    [{detection controls} {prevention controls} Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness. § 12.2.1 Control
    {detection controls} {prevention controls} Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness. § 12.2.1 Control
    {detection controls} {prevention controls} Detection, prevention and recovery controls to protect against malware should be implemented, combined with appropriate user awareness. § 12.2.1 Control]
    Technical security Configuration
    Install and maintain container security solutions. CC ID 16178 Technical security Technical Security
    Establish, implement, and maintain a physical security program. CC ID 11757 Physical and environmental protection Establish/Maintain Documentation
    Protect assets from tampering or unapproved substitution. CC ID 11902
    [Logging facilities and log information should be protected against tampering and unauthorized access. § 12.4.2 Control]
    Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain a facility physical security program. CC ID 00711
    [Physical security for offices, rooms and facilities should be designed and applied. § 11.1.3 Control]
    Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain opening procedures for businesses. CC ID 16671 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain closing procedures for businesses. CC ID 16670 Physical and environmental protection Establish/Maintain Documentation
    Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 Physical and environmental protection Establish/Maintain Documentation
    Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 Physical and environmental protection Behavior
    Protect the facility from crime. CC ID 06347 Physical and environmental protection Physical and Environmental Protection
    Define communication methods for reporting crimes. CC ID 06349 Physical and environmental protection Establish/Maintain Documentation
    Include identification cards or badges in the physical security program. CC ID 14818 Physical and environmental protection Establish/Maintain Documentation
    Protect facilities from eavesdropping. CC ID 02222 Physical and environmental protection Physical and Environmental Protection
    Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 Physical and environmental protection Technical Security
    Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 Physical and environmental protection Establish/Maintain Documentation
    Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 Physical and environmental protection Physical and Environmental Protection
    Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 Physical and environmental protection Physical and Environmental Protection
    Create security zones in facilities, as necessary. CC ID 16295 Physical and environmental protection Physical and Environmental Protection
    Establish clear zones around any sensitive facilities. CC ID 02214 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain floor plans. CC ID 16419 Physical and environmental protection Establish/Maintain Documentation
    Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 Physical and environmental protection Establish/Maintain Documentation
    Post floor plans of critical facilities in secure locations. CC ID 16138 Physical and environmental protection Communicate
    Post and maintain security signage for all facilities. CC ID 02201 Physical and environmental protection Establish/Maintain Documentation
    Inspect items brought into the facility. CC ID 06341 Physical and environmental protection Physical and Environmental Protection
    Maintain all physical security systems. CC ID 02206 Physical and environmental protection Physical and Environmental Protection
    Maintain all security alarm systems. CC ID 11669 Physical and environmental protection Physical and Environmental Protection
    Identify and document physical access controls for all physical entry points. CC ID 01637
    [Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.2 Control]
    Physical and environmental protection Establish/Maintain Documentation
    Control physical access to (and within) the facility. CC ID 01329 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain physical access procedures. CC ID 13629 Physical and environmental protection Establish/Maintain Documentation
    Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 Physical and environmental protection Physical and Environmental Protection
    Configure the access control system to grant access only during authorized working hours. CC ID 12325 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain a visitor access permission policy. CC ID 06699 Physical and environmental protection Establish/Maintain Documentation
    Escort visitors within the facility, as necessary. CC ID 06417 Physical and environmental protection Establish/Maintain Documentation
    Check the visitor's stated identity against a provided government issued identification. CC ID 06701 Physical and environmental protection Physical and Environmental Protection
    Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 Physical and environmental protection Testing
    Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 Physical and environmental protection Behavior
    Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 Physical and environmental protection Establish/Maintain Documentation
    Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 Physical and environmental protection Establish/Maintain Documentation
    Authorize physical access to sensitive areas based on job functions. CC ID 12462 Physical and environmental protection Establish/Maintain Documentation
    Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 Physical and environmental protection Monitor and Evaluate Occurrences
    Establish, implement, and maintain physical identification procedures. CC ID 00713 Physical and environmental protection Establish/Maintain Documentation
    Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 Physical and environmental protection Human Resources Management
    Implement physical identification processes. CC ID 13715 Physical and environmental protection Process or Activity
    Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 Physical and environmental protection Process or Activity
    Issue photo identification badges to all employees. CC ID 12326 Physical and environmental protection Physical and Environmental Protection
    Implement operational requirements for card readers. CC ID 02225 Physical and environmental protection Testing
    Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 Physical and environmental protection Establish/Maintain Documentation
    Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 Physical and environmental protection Physical and Environmental Protection
    Manage constituent identification inside the facility. CC ID 02215 Physical and environmental protection Behavior
    Direct each employee to be responsible for their identification card or badge. CC ID 12332 Physical and environmental protection Human Resources Management
    Manage visitor identification inside the facility. CC ID 11670 Physical and environmental protection Physical and Environmental Protection
    Issue visitor identification badges to all non-employees. CC ID 00543 Physical and environmental protection Behavior
    Secure unissued visitor identification badges. CC ID 06712 Physical and environmental protection Physical and Environmental Protection
    Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 Physical and environmental protection Behavior
    Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 Physical and environmental protection Establish/Maintain Documentation
    Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 Physical and environmental protection Process or Activity
    Include error handling controls in identification issuance procedures. CC ID 13709 Physical and environmental protection Establish/Maintain Documentation
    Include an appeal process in the identification issuance procedures. CC ID 15428 Physical and environmental protection Business Processes
    Include information security in the identification issuance procedures. CC ID 15425 Physical and environmental protection Establish/Maintain Documentation
    Include identity proofing processes in the identification issuance procedures. CC ID 06597 Physical and environmental protection Process or Activity
    Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 Physical and environmental protection Establish/Maintain Documentation
    Include an identity registration process in the identification issuance procedures. CC ID 11671 Physical and environmental protection Establish/Maintain Documentation
    Restrict access to the badge system to authorized personnel. CC ID 12043 Physical and environmental protection Physical and Environmental Protection
    Enforce dual control for badge assignments. CC ID 12328 Physical and environmental protection Physical and Environmental Protection
    Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 Physical and environmental protection Physical and Environmental Protection
    Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 Physical and environmental protection Establish/Maintain Documentation
    Assign employees the responsibility for controlling their identification badges. CC ID 12333 Physical and environmental protection Human Resources Management
    Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 Physical and environmental protection Establish/Maintain Documentation
    Prevent tailgating through physical entry points. CC ID 06685 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain a door security standard. CC ID 06686 Physical and environmental protection Establish/Maintain Documentation
    Install doors so that exposed hinges are on the secured side. CC ID 06687 Physical and environmental protection Configuration
    Install emergency doors to permit egress only. CC ID 06688 Physical and environmental protection Configuration
    Install contact alarms on doors, as necessary. CC ID 06710 Physical and environmental protection Configuration
    Use locks to protect against unauthorized physical access. CC ID 06342 Physical and environmental protection Physical and Environmental Protection
    Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 Physical and environmental protection Configuration
    Secure unissued access mechanisms. CC ID 06713 Physical and environmental protection Technical Security
    Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 Physical and environmental protection Establish/Maintain Documentation
    Change cipher lock codes, as necessary. CC ID 06651 Physical and environmental protection Technical Security
    Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain a window security standard. CC ID 06689 Physical and environmental protection Establish/Maintain Documentation
    Install contact alarms on openable windows, as necessary. CC ID 06690 Physical and environmental protection Configuration
    Install glass break alarms on windows, as necessary. CC ID 06691 Physical and environmental protection Configuration
    Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 Physical and environmental protection Establish/Maintain Documentation
    Install and maintain security lighting at all physical entry points. CC ID 02205 Physical and environmental protection Physical and Environmental Protection
    Use vandal resistant light fixtures for all security lighting. CC ID 16130 Physical and environmental protection Physical and Environmental Protection
    Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210
    [{delivery area} Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. § 11.1.6 Control]
    Physical and environmental protection Physical and Environmental Protection
    Secure the loading dock with physical access controls or security guards. CC ID 06703 Physical and environmental protection Physical and Environmental Protection
    Isolate loading areas from information processing facilities, if possible. CC ID 12028
    [{delivery area} Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises should be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. § 11.1.6 Control]
    Physical and environmental protection Physical and Environmental Protection
    Screen incoming mail and deliveries. CC ID 06719 Physical and environmental protection Physical and Environmental Protection
    Protect access to the facility's mechanical systems area. CC ID 02212 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain elevator security guidelines. CC ID 02232 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain stairwell security guidelines. CC ID 02233 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain glass opening security guidelines. CC ID 02234 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain after hours facility access procedures. CC ID 06340 Physical and environmental protection Establish/Maintain Documentation
    Establish a security room, if necessary. CC ID 00738 Physical and environmental protection Physical and Environmental Protection
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749 Physical and environmental protection Physical and Environmental Protection
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and environmental protection Physical and Environmental Protection
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain vault physical security standards. CC ID 02203 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538
    [Procedures for working in secure areas should be designed and applied. § 11.1.5 Control]
    Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain emergency exit procedures. CC ID 01252 Physical and environmental protection Establish/Maintain Documentation
    Establish, Implement, and maintain a camera operating policy. CC ID 15456 Physical and environmental protection Establish/Maintain Documentation
    Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 Physical and environmental protection Communicate
    Establish and maintain a visitor log. CC ID 00715 Physical and environmental protection Log Management
    Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 Physical and environmental protection Establish/Maintain Documentation
    Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 Physical and environmental protection Behavior
    Record the visitor's name in the visitor log. CC ID 00557 Physical and environmental protection Log Management
    Record the visitor's organization in the visitor log. CC ID 12121 Physical and environmental protection Log Management
    Record the visitor's acceptable access areas in the visitor log. CC ID 12237 Physical and environmental protection Log Management
    Record the date and time of entry in the visitor log. CC ID 13255 Physical and environmental protection Establish/Maintain Documentation
    Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 Physical and environmental protection Establish/Maintain Documentation
    Retain all records in the visitor log as prescribed by law. CC ID 00572 Physical and environmental protection Log Management
    Establish, implement, and maintain a physical access log. CC ID 12080 Physical and environmental protection Establish/Maintain Documentation
    Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 Physical and environmental protection Log Management
    Store facility access logs in off-site storage. CC ID 06958 Physical and environmental protection Log Management
    Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 Physical and environmental protection Monitor and Evaluate Occurrences
    Configure video cameras to cover all physical entry points. CC ID 06302 Physical and environmental protection Configuration
    Configure video cameras to prevent physical tampering or disablement. CC ID 06303 Physical and environmental protection Configuration
    Retain video events according to Records Management procedures. CC ID 06304 Physical and environmental protection Records Management
    Establish, implement, and maintain physical security threat reports. CC ID 02207 Physical and environmental protection Establish/Maintain Documentation
    Build and maintain fencing, as necessary. CC ID 02235
    [{sensitive information} Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. § 11.1.1 Control]
    Physical and environmental protection Physical and Environmental Protection
    Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 Physical and environmental protection Physical and Environmental Protection
    Physically segregate business areas in accordance with organizational standards. CC ID 16718 Physical and environmental protection Physical and Environmental Protection
    Employ security guards to provide physical security, as necessary. CC ID 06653 Physical and environmental protection Establish Roles
    Establish, implement, and maintain a facility wall standard. CC ID 06692 Physical and environmental protection Establish/Maintain Documentation
    Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 Physical and environmental protection Physical and Environmental Protection
    Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 Physical and environmental protection Configuration
    Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 Physical and environmental protection Behavior
    Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 Physical and environmental protection Behavior
    Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 Physical and environmental protection Business Processes
    Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 Physical and environmental protection Behavior
    Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 Physical and environmental protection Behavior
    Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 Physical and environmental protection Physical and Environmental Protection
    Control the transiting and internal distribution or external distribution of assets. CC ID 00963
    [Media containing information should be protected against unauthorized access, misuse or corruption during transportation. § 8.3.3 Control]
    Physical and environmental protection Records Management
    Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 Physical and environmental protection Log Management
    Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 Physical and environmental protection Technical Security
    Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 Physical and environmental protection Records Management
    Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 Physical and environmental protection Physical and Environmental Protection
    Transport restricted media using a delivery method that can be tracked. CC ID 11777 Physical and environmental protection Business Processes
    Restrict physical access to distributed assets. CC ID 11865
    [{environmental hazards} Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. § 11.2.1 Control]
    Physical and environmental protection Physical and Environmental Protection
    House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 Physical and environmental protection Physical and Environmental Protection
    Protect electronic storage media with physical access controls. CC ID 00720 Physical and environmental protection Physical and Environmental Protection
    Protect distributed assets against theft. CC ID 06799 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 Physical and environmental protection Establish/Maintain Documentation
    Prohibit assets from being taken off-site absent prior authorization. CC ID 12027
    [Equipment, information or software should not be taken off-site without prior authorization. § 11.2.5 Control]
    Physical and environmental protection Process or Activity
    Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539
    [Security should be applied to off-site assets taking into account the different risks of working outside the organization’s premises. § 11.2.6 Control]
    Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain end user computing device security guidelines. CC ID 00719
    [Users should ensure that unattended equipment has appropriate protection. § 11.2.8 Control]
    Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain a locking screen saver policy. CC ID 06717 Physical and environmental protection Establish/Maintain Documentation
    Encrypt information stored on devices in publicly accessible areas. CC ID 16410 Physical and environmental protection Data and Information Management
    Secure workstations to desks with security cables. CC ID 04724 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain mobile device security guidelines. CC ID 04723
    [A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices. § 6.2.1 Control
    A policy and supporting security measures should be adopted to manage the risks introduced by using mobile devices. § 6.2.1 Control]
    Physical and environmental protection Establish/Maintain Documentation
    Require users to refrain from leaving mobile devices unattended. CC ID 16446 Physical and environmental protection Business Processes
    Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 Physical and environmental protection Data and Information Management
    Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 Physical and environmental protection Establish/Maintain Documentation
    Include legal requirements in the mobile device security guidelines. CC ID 12291 Physical and environmental protection Establish/Maintain Documentation
    Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 Physical and environmental protection Physical and Environmental Protection
    Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 Physical and environmental protection Establish/Maintain Documentation
    Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 Physical and environmental protection Establish/Maintain Documentation
    Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 Physical and environmental protection Establish/Maintain Documentation
    Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 Physical and environmental protection Physical and Environmental Protection
    Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 Physical and environmental protection Physical and Environmental Protection
    Encrypt information stored on mobile devices. CC ID 01422 Physical and environmental protection Data and Information Management
    Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722
    [{sensitive information} Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. § 11.1.1 Control]
    Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain asset return procedures. CC ID 04537 Physical and environmental protection Establish/Maintain Documentation
    Require the return of all assets upon notification an individual is terminated. CC ID 06679
    [{require} All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract or agreement. § 8.1.4 Control]
    Physical and environmental protection Behavior
    Establish, implement, and maintain a clean desk policy. CC ID 06534
    [A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. § 11.2.9 Control]
    Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain a clear screen policy. CC ID 12436
    [A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted. § 11.2.9 Control]
    Physical and environmental protection Technical Security
    Establish, implement, and maintain an environmental control program. CC ID 00724
    [Physical protection against natural disasters, malicious attack or accidents should be designed and applied. § 11.1.4 Control]
    Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain clean energy standards. CC ID 16285 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain environmental control procedures. CC ID 12246 Physical and environmental protection Establish/Maintain Documentation
    Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708 Physical and environmental protection Configuration
    Protect power equipment and power cabling from damage or destruction. CC ID 01438
    [{power cabling} Power and telecommunications cabling carrying data or supporting information services should be protected from interception, interference or damage. § 11.2.3 Control
    Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities. § 11.2.2 Control]
    Physical and environmental protection Physical and Environmental Protection
    Install and maintain power distribution boards. CC ID 16486 Physical and environmental protection Systems Design, Build, and Implementation
    Establish, implement, and maintain a battery room, as necessary. CC ID 06706 Physical and environmental protection Configuration
    Establish and maintain a generator room, as necessary. CC ID 06704 Physical and environmental protection Configuration
    Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain facility maintenance procedures. CC ID 00710 Physical and environmental protection Establish/Maintain Documentation
    Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712 Physical and environmental protection Physical and Environmental Protection
    Design the Information Technology facility with a low profile. CC ID 16140 Physical and environmental protection Physical and Environmental Protection
    Prohibit signage indicating computer room location and uses. CC ID 06343 Physical and environmental protection Physical and Environmental Protection
    Require critical facilities to have adequate room for facility maintenance. CC ID 06361 Physical and environmental protection Physical and Environmental Protection
    Require critical facilities to have adequate room for evacuation. CC ID 11686 Physical and environmental protection Physical and Environmental Protection
    Build critical facilities according to applicable building codes. CC ID 06366 Physical and environmental protection Physical and Environmental Protection
    Build critical facilities with fire resistant materials. CC ID 06365 Physical and environmental protection Physical and Environmental Protection
    Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 Physical and environmental protection Physical and Environmental Protection
    Build critical facilities with water-resistant materials. CC ID 11679 Physical and environmental protection Physical and Environmental Protection
    Monitor operational conditions at unmanned facilities. CC ID 06327 Physical and environmental protection Physical and Environmental Protection
    Remotely control operational conditions at unmanned facilities. CC ID 11680 Physical and environmental protection Technical Security
    Inspect and maintain the facility and supporting assets. CC ID 06345 Physical and environmental protection Physical and Environmental Protection
    Define selection criteria for facility locations. CC ID 06351 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain facility demolition procedures. CC ID 16133 Physical and environmental protection Establish/Maintain Documentation
    Establish, implement, and maintain work environment requirements. CC ID 06613 Physical and environmental protection Establish/Maintain Documentation
    Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain system cleanliness requirements. CC ID 06614 Physical and environmental protection Establish/Maintain Documentation
    House system components in areas where the physical damage potential is minimized. CC ID 01623
    [{environmental hazards} Equipment should be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. § 11.2.1 Control]
    Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 Physical and environmental protection Establish/Maintain Documentation
    Install and maintain fire protection equipment. CC ID 00728 Physical and environmental protection Configuration
    Install and maintain fire suppression systems. CC ID 00729 Physical and environmental protection Configuration
    Install and maintain smoke detectors. CC ID 15264 Physical and environmental protection Physical and Environmental Protection
    Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 Physical and environmental protection Physical and Environmental Protection
    Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 Physical and environmental protection Physical and Environmental Protection
    Conduct fire drills, as necessary. CC ID 13985 Physical and environmental protection Process or Activity
    Employ environmental protections. CC ID 12570 Physical and environmental protection Process or Activity
    Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 Physical and environmental protection Establish/Maintain Documentation
    Protect physical assets against static electricity, as necessary. CC ID 06363 Physical and environmental protection Physical and Environmental Protection
    Install and maintain emergency lighting for use in a power failure. CC ID 01440 Physical and environmental protection Physical and Environmental Protection
    Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 Physical and environmental protection Configuration
    Protect air intakes into the organizational facility. CC ID 02211 Physical and environmental protection Physical and Environmental Protection
    Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 Physical and environmental protection Configuration
    Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 Physical and environmental protection Configuration
    Install and maintain a moisture control system as a part of the climate control system. CC ID 06694 Physical and environmental protection Configuration
    Install and maintain hydrogen sensors, as necessary. CC ID 06705 Physical and environmental protection Configuration
    Protect physical assets from water damage. CC ID 00730 Physical and environmental protection Configuration
    Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 Physical and environmental protection Communicate
    Install and maintain water detection devices. CC ID 11678 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a continuity framework. CC ID 00732 Operational and Systems Continuity Establish/Maintain Documentation
    Establish and maintain the scope of the continuity framework. CC ID 11908
    [{scope} The organization should determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. § 17.1.1 Control]
    Operational and Systems Continuity Establish/Maintain Documentation
    Include network security in the scope of the continuity framework. CC ID 16327 Operational and Systems Continuity Establish/Maintain Documentation
    Explain any exclusions to the scope of the continuity framework. CC ID 12236 Operational and Systems Continuity Establish/Maintain Documentation
    Refrain from including exclusions that could affect business continuity. CC ID 12740 Operational and Systems Continuity Records Management
    Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 Operational and Systems Continuity Establish/Maintain Documentation
    Include business units in the scope of the continuity framework. CC ID 11898 Operational and Systems Continuity Establish/Maintain Documentation
    Include business functions in the scope of the continuity framework. CC ID 12699 Operational and Systems Continuity Establish/Maintain Documentation
    Include information security continuity in the scope of the continuity framework. CC ID 12009 Operational and Systems Continuity Systems Continuity
    Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 Operational and Systems Continuity Systems Continuity
    Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a continuity plan. CC ID 00752
    [The organization should establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. § 17.1.2 Control]
    Operational and Systems Continuity Establish/Maintain Documentation
    Identify all stakeholders in the continuity plan. CC ID 13256 Operational and Systems Continuity Establish/Maintain Documentation
    Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 Operational and Systems Continuity Communicate
    Maintain normal security levels when an emergency occurs. CC ID 06377 Operational and Systems Continuity Systems Continuity
    Execute fail-safe procedures when an emergency occurs. CC ID 07108 Operational and Systems Continuity Systems Continuity
    Lead or manage business continuity and system continuity, as necessary. CC ID 12240 Operational and Systems Continuity Human Resources Management
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 Operational and Systems Continuity Establish/Maintain Documentation
    Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 Operational and Systems Continuity Establish/Maintain Documentation
    Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 Operational and Systems Continuity Human Resources Management
    Include the in scope system's location in the continuity plan. CC ID 16246 Operational and Systems Continuity Systems Continuity
    Include the system description in the continuity plan. CC ID 16241 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain redundant systems. CC ID 16354 Operational and Systems Continuity Configuration
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Operational and Systems Continuity Establish/Maintain Documentation
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Operational and Systems Continuity Behavior
    Include the continuity strategy in the continuity plan. CC ID 13189 Operational and Systems Continuity Establish/Maintain Documentation
    Document and use the lessons learned to update the continuity plan. CC ID 10037 Operational and Systems Continuity Establish/Maintain Documentation
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 Operational and Systems Continuity Technical Security
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 Operational and Systems Continuity Establish/Maintain Documentation
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 Operational and Systems Continuity Process or Activity
    Record business continuity management system performance for posterity. CC ID 12411 Operational and Systems Continuity Monitor and Evaluate Occurrences
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259 Operational and Systems Continuity Process or Activity
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 Operational and Systems Continuity Establish/Maintain Documentation
    Include incident management procedures in the continuity plan. CC ID 13244 Operational and Systems Continuity Establish/Maintain Documentation
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Operational and Systems Continuity Establish/Maintain Documentation
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 Operational and Systems Continuity Establish/Maintain Documentation
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Operational and Systems Continuity Establish/Maintain Documentation
    Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 Operational and Systems Continuity Establish Roles
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Operational and Systems Continuity Communicate
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707 Operational and Systems Continuity Establish/Maintain Documentation
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 Operational and Systems Continuity Configuration
    Install a generator sized to support the facility. CC ID 06709 Operational and Systems Continuity Configuration
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Operational and Systems Continuity Acquisition/Sale of Assets or Services
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Operational and Systems Continuity Establish/Maintain Documentation
    Include notifications to alternate facilities in the continuity plan. CC ID 13220 Operational and Systems Continuity Establish/Maintain Documentation
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Operational and Systems Continuity Systems Continuity
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain damage assessment procedures. CC ID 01267 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a recovery plan. CC ID 13288 Operational and Systems Continuity Establish/Maintain Documentation
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Operational and Systems Continuity Communicate
    Include procedures to restore network connectivity in the recovery plan. CC ID 16250 Operational and Systems Continuity Establish/Maintain Documentation
    Include addressing backup failures in the recovery plan. CC ID 13298 Operational and Systems Continuity Establish/Maintain Documentation
    Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 Operational and Systems Continuity Establish/Maintain Documentation
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Operational and Systems Continuity Human Resources Management
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Operational and Systems Continuity Establish/Maintain Documentation
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Operational and Systems Continuity Establish/Maintain Documentation
    Include the criteria for activation in the recovery plan. CC ID 13293 Operational and Systems Continuity Establish/Maintain Documentation
    Include escalation procedures in the recovery plan. CC ID 16248 Operational and Systems Continuity Establish/Maintain Documentation
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Operational and Systems Continuity Establish/Maintain Documentation
    Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 Operational and Systems Continuity Communicate
    Include restoration procedures in the continuity plan. CC ID 01169 Operational and Systems Continuity Establish Roles
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 Operational and Systems Continuity Establish/Maintain Documentation
    Include the recovery plan in the continuity plan. CC ID 01377 Operational and Systems Continuity Establish/Maintain Documentation
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Operational and Systems Continuity Communicate
    Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 Operational and Systems Continuity Systems Continuity
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Operational and Systems Continuity Systems Continuity
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Operational and Systems Continuity Establish/Maintain Documentation
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258
    [Backup copies of information, software and system images should be taken and tested regularly in accordance with an agreed backup policy. § 12.3.1 Control]
    Operational and Systems Continuity Systems Continuity
    Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 Operational and Systems Continuity Systems Continuity
    Establish and maintain off-site electronic media storage facilities. CC ID 00957 Operational and Systems Continuity Physical and Environmental Protection
    Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 Operational and Systems Continuity Configuration
    Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 Operational and Systems Continuity Establish/Maintain Documentation
    Store backup media at an off-site electronic media storage facility. CC ID 01332 Operational and Systems Continuity Data and Information Management
    Transport backup media in lockable electronic media storage containers. CC ID 01264 Operational and Systems Continuity Data and Information Management
    Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 Operational and Systems Continuity Systems Continuity
    Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 Operational and Systems Continuity Data and Information Management
    Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 Operational and Systems Continuity Data and Information Management
    Perform backup procedures for in scope systems. CC ID 11692 Operational and Systems Continuity Process or Activity
    Validate information security continuity controls regularly. CC ID 12008
    [The organization should verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. § 17.1.3 Control]
    Operational and Systems Continuity Systems Continuity
    Establish, implement, and maintain a personnel management program. CC ID 14018 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a personnel security program. CC ID 10628 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain personnel screening procedures. CC ID 11700 Human Resources management Establish/Maintain Documentation
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources management Human Resources Management
    Perform a criminal records check during personnel screening. CC ID 06643 Human Resources management Establish/Maintain Documentation
    Include all residences in the criminal records check. CC ID 13306 Human Resources management Process or Activity
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Human Resources management Establish/Maintain Documentation
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources management Human Resources Management
    Perform a credit check during personnel screening. CC ID 06646 Human Resources management Human Resources Management
    Perform an academic records check during personnel screening. CC ID 06647 Human Resources management Establish/Maintain Documentation
    Perform a drug test during personnel screening. CC ID 06648 Human Resources management Testing
    Perform a resume check during personnel screening. CC ID 06659 Human Resources management Human Resources Management
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources management Human Resources Management
    Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549
    [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. § 7.3.1 Control]
    Human Resources management Establish/Maintain Documentation
    Assign an owner of the personnel status change and termination procedures. CC ID 11805 Human Resources management Human Resources Management
    Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 Human Resources management Human Resources Management
    Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 Human Resources management Behavior
    Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630
    [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. § 7.3.1 Control]
    Human Resources management Communicate
    Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992
    [Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced. § 7.3.1 Control]
    Human Resources management Human Resources Management
    Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 Human Resources management Behavior
    Conduct exit interviews upon termination of employment. CC ID 14290 Human Resources management Human Resources Management
    Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 Human Resources management Establish/Maintain Documentation
    Train all personnel and third parties, as necessary. CC ID 00785
    [{security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control
    {security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control]
    Human Resources management Behavior
    Establish, implement, and maintain an education methodology. CC ID 06671 Human Resources management Business Processes
    Support certification programs as viable training programs. CC ID 13268 Human Resources management Human Resources Management
    Include evidence of experience in applications for professional certification. CC ID 16193 Human Resources management Establish/Maintain Documentation
    Include supporting documentation in applications for professional certification. CC ID 16195 Human Resources management Establish/Maintain Documentation
    Submit applications for professional certification. CC ID 16192 Human Resources management Training
    Retrain all personnel, as necessary. CC ID 01362
    [{security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control
    {security awareness, training, and education} All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. § 7.2.2 Control]
    Human Resources management Behavior
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Human Resources management Behavior
    Tailor training to be taught at each person's level of responsibility. CC ID 06674 Human Resources management Behavior
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Human Resources management Behavior
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Human Resources management Behavior
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources management Human Resources Management
    Review the current published guidance and awareness and training programs. CC ID 01245 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain training plans. CC ID 00828 Human Resources management Establish/Maintain Documentation
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Human Resources management Training
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Human Resources management Training
    Develop or acquire content to update the training plans. CC ID 12867 Human Resources management Training
    Designate training facilities in the training plan. CC ID 16200 Human Resources management Training
    Include portions of the visitor control program in the training plan. CC ID 13287 Human Resources management Establish/Maintain Documentation
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources management Human Resources Management
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Human Resources management Training
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources management Human Resources Management
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Human Resources management Training
    Include risk management in the training plan, as necessary. CC ID 13040 Human Resources management Training
    Conduct Archives and Records Management training. CC ID 00975 Human Resources management Behavior
    Conduct personal data processing training. CC ID 13757 Human Resources management Training
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Human Resources management Training
    Include the cloud service usage standard in the training plan. CC ID 13039 Human Resources management Training
    Establish, implement, and maintain a security awareness program. CC ID 11746 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Human Resources management Establish/Maintain Documentation
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Human Resources management Establish/Maintain Documentation
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Human Resources management Establish/Maintain Documentation
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Human Resources management Communicate
    Include management commitment in the security awareness and training policy. CC ID 14049 Human Resources management Establish/Maintain Documentation
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Human Resources management Establish/Maintain Documentation
    Include the scope in the security awareness and training policy. CC ID 14047 Human Resources management Establish/Maintain Documentation
    Include the purpose in the security awareness and training policy. CC ID 14045 Human Resources management Establish/Maintain Documentation
    Include configuration management procedures in the security awareness program. CC ID 13967 Human Resources management Establish/Maintain Documentation
    Include media protection in the security awareness program. CC ID 16368 Human Resources management Training
    Document security awareness requirements. CC ID 12146 Human Resources management Establish/Maintain Documentation
    Include safeguards for information systems in the security awareness program. CC ID 13046 Human Resources management Establish/Maintain Documentation
    Include security policies and security standards in the security awareness program. CC ID 13045 Human Resources management Establish/Maintain Documentation
    Include physical security in the security awareness program. CC ID 16369 Human Resources management Training
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Human Resources management Establish/Maintain Documentation
    Include updates on emerging issues in the security awareness program. CC ID 13184 Human Resources management Training
    Include cybersecurity in the security awareness program. CC ID 13183 Human Resources management Training
    Include implications of non-compliance in the security awareness program. CC ID 16425 Human Resources management Training
    Include the acceptable use policy in the security awareness program. CC ID 15487 Human Resources management Training
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Human Resources management Establish/Maintain Documentation
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Human Resources management Establish/Maintain Documentation
    Include remote access in the security awareness program. CC ID 13892 Human Resources management Establish/Maintain Documentation
    Document the goals of the security awareness program. CC ID 12145 Human Resources management Establish/Maintain Documentation
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Human Resources management Establish/Maintain Documentation
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources management Human Resources Management
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources management Human Resources Management
    Document the scope of the security awareness program. CC ID 12148 Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain a security awareness baseline. CC ID 12147 Human Resources management Establish/Maintain Documentation
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources management Human Resources Management
    Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 Human Resources management Behavior
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211
    [Employees and contractors using the organization’s information systems and services should be required to note and report any observed or suspected information security weaknesses in systems or services. § 16.1.3 Control]
    Human Resources management Behavior
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Human Resources management Training
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363
    [Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. § 7.2.1 Control]
    Human Resources management Establish/Maintain Documentation
    Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 Human Resources management Establish/Maintain Documentation
    Conduct tampering prevention training. CC ID 11875 Human Resources management Training
    Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Human Resources management Training
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Human Resources management Training
    Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 Human Resources management Training
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Human Resources management Training
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Human Resources management Training
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Human Resources management Training
    Conduct crime prevention training. CC ID 06350 Human Resources management Behavior
    Establish, implement, and maintain a Code of Conduct. CC ID 04897 Human Resources management Establish/Maintain Documentation
    Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029
    [The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security. § 7.1.2 Control]
    Human Resources management Human Resources Management
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 Human Resources management Communicate
    Establish, implement, and maintain a capacity management plan. CC ID 11751 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617
    [The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. § 12.1.3 Control]
    Operational management Business Processes
    Align critical Information Technology resource availability planning with capacity planning. CC ID 01618 Operational management Business Processes
    Limit any effects of a Denial of Service attack. CC ID 06754
    [Information processing facilities should be implemented with redundancy sufficient to meet availability requirements. § 17.2.1 Control]
    Operational management Technical Security
    Implement network redundancy, as necessary. CC ID 13048 Operational management Systems Continuity
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an internal control framework. CC ID 00820 Operational management Establish/Maintain Documentation
    Include security information sharing procedures in the internal control framework. CC ID 06489 Operational management Establish/Maintain Documentation
    Share security information with interested personnel and affected parties. CC ID 11732
    [Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained. § 6.1.4 Control]
    Operational management Communicate
    Include security incident response procedures in the internal control framework. CC ID 01359
    [{management procedures} Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents. § 16.1.1 Control]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an information security program. CC ID 00812 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an information security policy. CC ID 11740
    [A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control
    A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control
    The policies for information security should be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. § 5.1.2 Control]
    Operational management Establish/Maintain Documentation
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Business Processes
    Include business processes in the information security policy. CC ID 16326 Operational management Establish/Maintain Documentation
    Include the information security strategy in the information security policy. CC ID 16125 Operational management Establish/Maintain Documentation
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the information security policy. CC ID 16120 Operational management Establish/Maintain Documentation
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Establish/Maintain Documentation
    Include information security objectives in the information security policy. CC ID 13493 Operational management Establish/Maintain Documentation
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Establish/Maintain Documentation
    Include notification procedures in the information security policy. CC ID 16842 Operational management Establish/Maintain Documentation
    Approve the information security policy at the organization's management level or higher. CC ID 11737
    [A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control]
    Operational management Process or Activity
    Establish, implement, and maintain information security procedures. CC ID 12006 Operational management Business Processes
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Operational management Establish/Maintain Documentation
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Operational management Communicate
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Operational management Establish/Maintain Documentation
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Operational management Establish Roles
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885
    [All information security responsibilities should be defined and allocated. § 6.1.1 Control
    All information security responsibilities should be defined and allocated. § 6.1.1 Control]
    Operational management Establish/Maintain Documentation
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739
    [A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. § 5.1.1 Control]
    Operational management Communicate
    Establish, implement, and maintain operational control procedures. CC ID 00831 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826
    [Operating procedures should be documented and made available to all users who need them. § 12.1.1 Control]
    Operational management Establish/Maintain Documentation
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Operational management Process or Activity
    Include metrics in the standard operating procedures manual. CC ID 14988 Operational management Establish/Maintain Documentation
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Operational management Establish/Maintain Documentation
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Operational management Establish/Maintain Documentation
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Operational management Establish/Maintain Documentation
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Operational management Establish/Maintain Documentation
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Operational management Establish/Maintain Documentation
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Operational management Establish/Maintain Documentation
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Operational management Establish/Maintain Documentation
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Operational management Establish/Maintain Documentation
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Operational management Establish/Maintain Documentation
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Operational management Establish/Maintain Documentation
    Include contact details in the standard operating procedures manual. CC ID 14962 Operational management Establish/Maintain Documentation
    Include information sharing procedures in standard operating procedures. CC ID 12974 Operational management Records Management
    Establish, implement, and maintain information sharing agreements. CC ID 15645 Operational management Business Processes
    Provide support for information sharing activities. CC ID 15644 Operational management Process or Activity
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Operational management Business Processes
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026
    [Operating procedures should be documented and made available to all users who need them. § 12.1.1 Control]
    Operational management Communicate
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350
    [Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented. § 8.1.3 Control]
    Operational management Establish/Maintain Documentation
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Operational management Establish/Maintain Documentation
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Operational management Establish/Maintain Documentation
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Operational management Establish/Maintain Documentation
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Operational management Establish/Maintain Documentation
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Operational management Establish/Maintain Documentation
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Operational management Establish/Maintain Documentation
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Operational management Establish/Maintain Documentation
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Operational management Establish/Maintain Documentation
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Operational management Establish/Maintain Documentation
    Include asset use policies in the Acceptable Use Policy. CC ID 01355
    [Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented. § 8.1.3 Control]
    Operational management Establish/Maintain Documentation
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Establish/Maintain Documentation
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Establish/Maintain Documentation
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Operational management Technical Security
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Operational management Establish/Maintain Documentation
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Data and Information Management
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Operational management Establish/Maintain Documentation
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Operational management Establish/Maintain Documentation
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Operational management Establish/Maintain Documentation
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Operational management Establish/Maintain Documentation
    Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 Operational management Establish/Maintain Documentation
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749
    [Procedures should be implemented to control the installation of software on operational systems. § 12.5.1 Control
    Rules governing the installation of software by users should be established and implemented. § 12.6.2 Control]
    Operational management Establish/Maintain Documentation
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Operational management Establish/Maintain Documentation
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Operational management Communicate
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Operational management Establish/Maintain Documentation
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512
    [Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. § 18.1.2 Control]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain nondisclosure agreements. CC ID 04536
    [{confidentiality agreements} {identified and documented} Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented. § 13.2.4 Control
    {confidentiality agreements} {identified and documented} Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information should be identified, regularly reviewed and documented. § 13.2.4 Control]
    Operational management Establish/Maintain Documentation
    Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 Operational management Communicate
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Operational management Establish/Maintain Documentation
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Operational management Establish/Maintain Documentation
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Business Processes
    Review systems for compliance with organizational information security policies. CC ID 12004
    [{information security standard} Information systems should be regularly reviewed for compliance with the organization’s information security policies and standards. § 18.2.3 Control]
    Operational management Business Processes
    Establish, implement, and maintain an Asset Management program. CC ID 06630
    [Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organization. § 8.2.3 Control]
    Operational management Business Processes
    Establish, implement, and maintain an asset management policy. CC ID 15219 Operational management Establish/Maintain Documentation
    Include coordination amongst entities in the asset management policy. CC ID 16424 Operational management Business Processes
    Establish, implement, and maintain asset management procedures. CC ID 16748 Operational management Establish/Maintain Documentation
    Assign an information owner to organizational assets, as necessary. CC ID 12729 Operational management Human Resources Management
    Define and prioritize the importance of each asset in the asset management program. CC ID 16837 Operational management Business Processes
    Include life cycle requirements in the security management program. CC ID 16392 Operational management Establish/Maintain Documentation
    Include program objectives in the asset management program. CC ID 14413 Operational management Establish/Maintain Documentation
    Include a commitment to continual improvement in the asset management program. CC ID 14412 Operational management Establish/Maintain Documentation
    Include compliance with applicable requirements in the asset management program. CC ID 14411 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain administrative controls over all assets. CC ID 16400 Operational management Business Processes
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Operational management Establish/Maintain Documentation
    Apply security controls to each level of the information classification standard. CC ID 01903 Operational management Systems Design, Build, and Implementation
    Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 Operational management Establish/Maintain Documentation
    Define confidentiality controls. CC ID 01908 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the systems' availability level. CC ID 01905 Operational management Establish/Maintain Documentation
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Operational management Process or Activity
    Define integrity controls. CC ID 01909 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the systems' integrity level. CC ID 01906 Operational management Establish/Maintain Documentation
    Define availability controls. CC ID 01911 Operational management Establish/Maintain Documentation
    Establish safety classifications for systems according to their potential harmful effects to operators or end users. CC ID 06603 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an asset safety classification scheme. CC ID 06604 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the Asset Classification Policy. CC ID 06642 Operational management Establish/Maintain Documentation
    Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties. CC ID 14851 Operational management Communicate
    Classify assets according to the Asset Classification Policy. CC ID 07186 Operational management Establish Roles
    Classify virtual systems by type and purpose. CC ID 16332 Operational management Business Processes
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185 Operational management Establish/Maintain Documentation
    Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy. CC ID 07184 Operational management Establish Roles
    Disallow systems from processing information, disseminating and communicating information, or storing information that is above the system's assigned asset classification. CC ID 06606 Operational management Configuration
    Assign decomposed system components the same asset classification as the originating system. CC ID 06605 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an asset inventory. CC ID 06631 Operational management Business Processes
    Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689
    [Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. § 8.1.1 Control]
    Operational management Establish/Maintain Documentation
    Include all account types in the Information Technology inventory. CC ID 13311 Operational management Establish/Maintain Documentation
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695 Operational management Systems Design, Build, and Implementation
    Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289 Operational management Data and Information Management
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Operational management Establish/Maintain Documentation
    Categorize all major applications according to the business information they process. CC ID 07182 Operational management Establish/Maintain Documentation
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Operational management Establish/Maintain Documentation
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Operational management Establish/Maintain Documentation
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Operational management Establish/Maintain Documentation
    Conduct environmental surveys. CC ID 00690 Operational management Physical and Environmental Protection
    Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a hardware asset inventory. CC ID 00691 Operational management Establish/Maintain Documentation
    Include network equipment in the Information Technology inventory. CC ID 00693 Operational management Establish/Maintain Documentation
    Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719 Operational management Establish/Maintain Documentation
    Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885 Operational management Process or Activity
    Include software in the Information Technology inventory. CC ID 00692 Operational management Establish/Maintain Documentation
    Establish and maintain a list of authorized software and versions required for each system. CC ID 12093 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a records inventory and database inventory. CC ID 01260 Operational management Establish/Maintain Documentation
    Add inventoried assets to the asset register database, as necessary. CC ID 07051 Operational management Establish/Maintain Documentation
    Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181 Operational management Establish/Maintain Documentation
    Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054 Operational management Technical Security
    Link the authentication system to the asset inventory. CC ID 13718 Operational management Technical Security
    Record a unique name for each asset in the asset inventory. CC ID 16305 Operational management Data and Information Management
    Record the decommission date for applicable assets in the asset inventory. CC ID 14920 Operational management Establish/Maintain Documentation
    Record the status of information systems in the asset inventory. CC ID 16304 Operational management Data and Information Management
    Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301 Operational management Data and Information Management
    Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918 Operational management Establish/Maintain Documentation
    Include source code in the asset inventory. CC ID 14858 Operational management Records Management
    Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 Operational management Human Resources Management
    Record the review date for applicable assets in the asset inventory. CC ID 14919 Operational management Establish/Maintain Documentation
    Record software license information for each asset in the asset inventory. CC ID 11736 Operational management Data and Information Management
    Record services for applicable assets in the asset inventory. CC ID 13733 Operational management Establish/Maintain Documentation
    Record protocols for applicable assets in the asset inventory. CC ID 13734 Operational management Establish/Maintain Documentation
    Record the software version in the asset inventory. CC ID 12196 Operational management Establish/Maintain Documentation
    Record the publisher for applicable assets in the asset inventory. CC ID 13725 Operational management Establish/Maintain Documentation
    Record the authentication system in the asset inventory. CC ID 13724 Operational management Establish/Maintain Documentation
    Tag unsupported assets in the asset inventory. CC ID 13723 Operational management Establish/Maintain Documentation
    Record the install date for applicable assets in the asset inventory. CC ID 13720 Operational management Establish/Maintain Documentation
    Record the make, model of device for applicable assets in the asset inventory. CC ID 12465 Operational management Establish/Maintain Documentation
    Record the asset tag for physical assets in the asset inventory. CC ID 06632 Operational management Establish/Maintain Documentation
    Record the host name of applicable assets in the asset inventory. CC ID 13722 Operational management Establish/Maintain Documentation
    Record network ports for applicable assets in the asset inventory. CC ID 13730 Operational management Establish/Maintain Documentation
    Record the MAC address for applicable assets in the asset inventory. CC ID 13721 Operational management Establish/Maintain Documentation
    Record the operating system version for applicable assets in the asset inventory. CC ID 11748 Operational management Data and Information Management
    Record the operating system type for applicable assets in the asset inventory. CC ID 06633 Operational management Establish/Maintain Documentation
    Record rooms at external locations in the asset inventory. CC ID 16302 Operational management Data and Information Management
    Record the department associated with the asset in the asset inventory. CC ID 12084 Operational management Establish/Maintain Documentation
    Record the physical location for applicable assets in the asset inventory. CC ID 06634 Operational management Establish/Maintain Documentation
    Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635 Operational management Establish/Maintain Documentation
    Record the firmware version for applicable assets in the asset inventory. CC ID 12195 Operational management Establish/Maintain Documentation
    Record the related business function for applicable assets in the asset inventory. CC ID 06636 Operational management Establish/Maintain Documentation
    Record the deployment environment for applicable assets in the asset inventory. CC ID 06637 Operational management Establish/Maintain Documentation
    Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638 Operational management Establish/Maintain Documentation
    Record trusted keys and certificates in the asset inventory. CC ID 15486 Operational management Data and Information Management
    Record cipher suites and protocols in the asset inventory. CC ID 15489 Operational management Data and Information Management
    Link the software asset inventory to the hardware asset inventory. CC ID 12085 Operational management Establish/Maintain Documentation
    Record the owner for applicable assets in the asset inventory. CC ID 06640
    [Assets maintained in the inventory should be owned. § 8.1.2 Control]
    Operational management Establish/Maintain Documentation
    Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696 Operational management Establish/Maintain Documentation
    Record all changes to assets in the asset inventory. CC ID 12190 Operational management Establish/Maintain Documentation
    Record cloud service derived data in the asset inventory. CC ID 13007 Operational management Establish/Maintain Documentation
    Include cloud service customer data in the asset inventory. CC ID 13006 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a software accountability policy. CC ID 00868 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain software asset management procedures. CC ID 00895 Operational management Establish/Maintain Documentation
    Prevent users from disabling required software. CC ID 16417 Operational management Technical Security
    Establish, implement, and maintain software archives procedures. CC ID 00866 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain software distribution procedures. CC ID 00894 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain software documentation management procedures. CC ID 06395 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain software license management procedures. CC ID 06639
    [Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. § 18.1.2 Control]
    Operational management Establish/Maintain Documentation
    Automate software license monitoring, as necessary. CC ID 07057 Operational management Monitor and Evaluate Occurrences
    Establish, implement, and maintain digital legacy procedures. CC ID 16524 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a system redeployment program. CC ID 06276 Operational management Establish/Maintain Documentation
    Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed. CC ID 06400 Operational management Behavior
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Operational management Data and Information Management
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Operational management Acquisition/Sale of Assets or Services
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Operational management Establish/Maintain Documentation
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a system disposal program. CC ID 14431 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain disposal procedures. CC ID 16513 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain asset sanitization procedures. CC ID 16511 Operational management Establish/Maintain Documentation
    Destroy systems in accordance with the system disposal program. CC ID 16457 Operational management Business Processes
    Approve the release of systems and waste material into the public domain. CC ID 16461 Operational management Business Processes
    Establish, implement, and maintain system destruction procedures. CC ID 16474 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain printer and multifunction device disposition procedures. CC ID 15216 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a system preventive maintenance program. CC ID 00885
    [Equipment should be correctly maintained to ensure its continued availability and integrity. § 11.2.4 Control]
    Operational management Establish/Maintain Documentation
    Establish and maintain maintenance reports. CC ID 11749 Operational management Establish/Maintain Documentation
    Establish and maintain system inspection reports. CC ID 06346 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Operational management Establish/Maintain Documentation
    Include compliance requirements in the system maintenance policy. CC ID 14217 Operational management Establish/Maintain Documentation
    Include management commitment in the system maintenance policy. CC ID 14216 Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Operational management Establish/Maintain Documentation
    Include the scope in the system maintenance policy. CC ID 14214 Operational management Establish/Maintain Documentation
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Operational management Communicate
    Include the purpose in the system maintenance policy. CC ID 14187 Operational management Establish/Maintain Documentation
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Operational management Establish/Maintain Documentation
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Operational management Communicate
    Establish, implement, and maintain a technology refresh plan. CC ID 13061 Operational management Establish/Maintain Documentation
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Operational management Physical and Environmental Protection
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Operational management Behavior
    Use system components only when third party support is available. CC ID 10644 Operational management Maintenance
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Operational management Maintenance
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Operational management Business Processes
    Control remote maintenance according to the system's asset classification. CC ID 01433 Operational management Technical Security
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Operational management Configuration
    Approve all remote maintenance sessions. CC ID 10615 Operational management Technical Security
    Log the performance of all remote maintenance. CC ID 13202 Operational management Log Management
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Operational management Technical Security
    Conduct offsite maintenance in authorized facilities. CC ID 16473 Operational management Maintenance
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Operational management Maintenance
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Operational management Maintenance
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Operational management Behavior
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Operational management Establish/Maintain Documentation
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Operational management Acquisition/Sale of Assets or Services
    Perform periodic maintenance according to organizational standards. CC ID 01435 Operational management Behavior
    Restart systems on a periodic basis. CC ID 16498 Operational management Maintenance
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Operational management Maintenance
    Employ dedicated systems during system maintenance. CC ID 12108 Operational management Technical Security
    Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 Operational management Technical Security
    Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 Operational management Human Resources Management
    Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 Operational management Physical and Environmental Protection
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Operational management Establish/Maintain Documentation
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Operational management Process or Activity
    Disassemble and shut down unnecessary systems or unused systems. CC ID 06280 Operational management Business Processes
    Establish, implement, and maintain an end-of-life management process. CC ID 16540 Operational management Establish/Maintain Documentation
    Dispose of hardware and software at their life cycle end. CC ID 06278 Operational management Business Processes
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Operational management Business Processes
    Establish, implement, and maintain disposal contracts. CC ID 12199 Operational management Establish/Maintain Documentation
    Include disposal procedures in disposal contracts. CC ID 13905 Operational management Establish/Maintain Documentation
    Remove asset tags prior to disposal of an asset. CC ID 12198 Operational management Business Processes
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Operational management Establish/Maintain Documentation
    Review each system's operational readiness. CC ID 06275 Operational management Systems Design, Build, and Implementation
    Establish, implement, and maintain a data stewardship policy. CC ID 06657 Operational management Establish/Maintain Documentation
    Establish and maintain an unauthorized software list. CC ID 10601 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a customer service program. CC ID 00846 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Incident Management program. CC ID 00853 Operational management Business Processes
    Include detection procedures in the Incident Management program. CC ID 00588 Operational management Establish/Maintain Documentation
    Categorize the incident following an incident response. CC ID 13208 Operational management Technical Security
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Operational management Establish/Maintain Documentation
    Include lessons learned from analyzing security violations in the Incident Management program. CC ID 01234
    [{information security incidents} Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents. § 16.1.6 Control]
    Operational management Monitor and Evaluate Occurrences
    Include incident reporting procedures in the Incident Management program. CC ID 11772
    [Information security events should be reported through appropriate management channels as quickly as possible. § 16.1.2 Control]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 Operational management Communicate
    Establish, implement, and maintain an Incident Response program. CC ID 00579 Operational management Establish/Maintain Documentation
    Include incident response team structures in the Incident Response program. CC ID 01237 Operational management Establish/Maintain Documentation
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652
    [{management procedures} Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents. § 16.1.1 Control]
    Operational management Establish Roles
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Operational management Establish Roles
    Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878 Operational management Establish Roles
    Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879 Operational management Establish Roles
    Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880 Operational management Establish Roles
    Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881 Operational management Establish Roles
    Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882 Operational management Establish Roles
    Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883 Operational management Establish Roles
    Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884 Operational management Establish Roles
    Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885 Operational management Establish Roles
    Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886 Operational management Establish Roles
    Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887 Operational management Human Resources Management
    Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473 Operational management Establish/Maintain Documentation
    Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474 Operational management Communicate
    Include references to industry best practices in the incident response procedures. CC ID 11956 Operational management Establish/Maintain Documentation
    Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949 Operational management Establish/Maintain Documentation
    Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred. CC ID 01213
    [Appropriate contacts with relevant authorities should be maintained. § 6.1.3 Control]
    Operational management Behavior
    Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 Operational management Establish/Maintain Documentation
    Define the business scenarios that require digital forensic evidence. CC ID 08653 Operational management Establish/Maintain Documentation
    Define the circumstances for collecting digital forensic evidence. CC ID 08657
    [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]
    Operational management Establish/Maintain Documentation
    Identify potential sources of digital forensic evidence. CC ID 08651
    [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]
    Operational management Investigate
    Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655
    [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]
    Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656
    [The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. § 16.1.7 Control]
    Operational management Records Management
    Establish, implement, and maintain a performance management standard. CC ID 01615 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain rate limiting filters. CC ID 06883 Operational management Business Processes
    Establish, implement, and maintain system capacity monitoring procedures. CC ID 01619
    [The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. § 12.1.3 Control]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 Operational management Establish/Maintain Documentation
    Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023
    [Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. § 13.1.2 Control]
    Operational management Establish/Maintain Documentation
    Include the management requirements for network services in the Service Level Agreement. CC ID 12025
    [Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. § 13.1.2 Control]
    Operational management Establish/Maintain Documentation
    Include the service levels for network services in the Service Level Agreement. CC ID 12024
    [Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced. § 13.1.2 Control]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a change control program. CC ID 00886
    [Changes to the organization, business processes, information processing facilities and systems that affect information security should be controlled. § 12.1.2 Control
    Changes to systems within the development lifecycle should be controlled by the use of formal change control procedures. § 14.2.2 Control]
    Operational management Establish/Maintain Documentation
    Include potential consequences of unintended changes in the change control program. CC ID 12243 Operational management Establish/Maintain Documentation
    Include version control in the change control program. CC ID 13119 Operational management Establish/Maintain Documentation
    Include service design and transition in the change control program. CC ID 13920 Operational management Establish/Maintain Documentation
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Operational management Maintenance
    Integrate configuration management procedures into the change control program. CC ID 13646 Operational management Technical Security
    Establish, implement, and maintain a back-out plan. CC ID 13623 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 Operational management Establish/Maintain Documentation
    Manage change requests. CC ID 00887
    [Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. § 14.2.4 Control]
    Operational management Business Processes
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Operational management Establish/Maintain Documentation
    Establish and maintain a change request approver list. CC ID 06795 Operational management Establish/Maintain Documentation
    Document all change requests in change request forms. CC ID 06794 Operational management Establish/Maintain Documentation
    Approve tested change requests. CC ID 11783 Operational management Data and Information Management
    Validate the system before implementing approved changes. CC ID 01510
    [When operating platforms are changed, business critical applications should be reviewed and tested to ensure there is no adverse impact on organizational operations or security. § 14.2.3 Control]
    Operational management Systems Design, Build, and Implementation
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Operational management Behavior
    Establish, implement, and maintain emergency change procedures. CC ID 00890 Operational management Establish/Maintain Documentation
    Perform emergency changes, as necessary. CC ID 12707 Operational management Process or Activity
    Back up emergency changes after the change has been performed. CC ID 12734 Operational management Process or Activity
    Log emergency changes after they have been performed. CC ID 12733 Operational management Establish/Maintain Documentation
    Perform risk assessments prior to approving change requests. CC ID 00888 Operational management Testing
    Implement changes according to the change control program. CC ID 11776 Operational management Business Processes
    Provide audit trails for all approved changes. CC ID 13120 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a patch management program. CC ID 00896 Operational management Process or Activity
    Document the sources of all software updates. CC ID 13316 Operational management Establish/Maintain Documentation
    Implement patch management software, as necessary. CC ID 12094 Operational management Technical Security
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Operational management Technical Security
    Establish, implement, and maintain a patch management policy. CC ID 16432 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain patch management procedures. CC ID 15224 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a patch log. CC ID 01642 Operational management Establish/Maintain Documentation
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Operational management Business Processes
    Establish, implement, and maintain a software release policy. CC ID 00893 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain traceability documentation. CC ID 16388 Operational management Systems Design, Build, and Implementation
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Operational management Behavior
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Operational management Data and Information Management
    Update associated documentation after the system configuration has been changed. CC ID 00891 Operational management Establish/Maintain Documentation
    Document the organization's local environments. CC ID 06726
    [To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. § 5.1 Objective
    To establish a management framework to initiate and control the implementation and operation of information security within the organization. § 6.1 Objective
    To ensure the security of teleworking and use of mobile devices. § 6.2 Objective
    To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. § 7.1 Objective
    To ensure that employees and contractors are aware of and fulfill their information security responsibilities. § 7.2 Objective
    To protect the organization’s interests as part of the process of changing or terminating employment. § 7.3 Objective
    To identify organizational assets and define appropriate protection responsibilities. § 8.1 Objective
    To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. § 8.3 Objective
    To limit access to information and information processing facilities. § 9.1 Objective
    To ensure authorized user access and to prevent unauthorized access to systems and services. § 9.2 Objective
    To make users accountable for safeguarding their authentication information. § 9.3 Objective
    To prevent unauthorized access to systems and applications. § 9.4 Objective
    To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. § 10.1 Objective
    To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. § 11.1 Objective
    To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. § 11.2 Objective
    To ensure correct and secure operations of information processing facilities. § 12.1 Objective
    To ensure that information and information processing facilities are protected against malware. § 12.2 Objective
    To protect against loss of data. § 12.3 Objective
    To record events and generate evidence. § 12.4 Objective
    To ensure the integrity of operational systems. § 12.5 Objective
    To prevent exploitation of technical vulnerabilities. § 12.6 Objective
    To minimise the impact of audit activities on operational systems. § 12.7 Objective
    To ensure the protection of information in networks and its supporting information processing facilities. § 13.1 Objective
    To maintain the security of information transferred within an organization and with any external entity. § 13.2 Objective
    To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. § 14.1 Objective
    To ensure that information security is designed and implemented within the development lifecycle of information systems. § 14.2 Objective
    To ensure protection of the organization’s assets that is accessible by suppliers. § 15.1 Objective
    To maintain an agreed level of information security and service delivery in line with supplier agreements. § 15.2 Objective
    To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. § 16.1 Objective
    Information security continuity should be embedded in the organization’s business continuity management systems. § 17.1 Objective
    To ensure availability of information processing facilities. § 17.2 Objective
    To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. § 18.1 Objective
    To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. § 18.2 Objective
    To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. § 8.2 Objective
    To ensure the protection of data used for testing. § 14.3 Objective]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain local environment security profiles. CC ID 07037 Operational management Establish/Maintain Documentation
    Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 Operational management Establish/Maintain Documentation
    Include security requirements in the local environment security profile. CC ID 15717 Operational management Establish/Maintain Documentation
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 Operational management Establish/Maintain Documentation
    Include the technology used in the local environment in the local environment security profile. CC ID 07040 Operational management Establish/Maintain Documentation
    Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 Operational management Establish/Maintain Documentation
    Include facility information for the local environment in the local environment security profile. CC ID 07042 Operational management Establish/Maintain Documentation
    Include facility access information for the local environment in the local environment security profile. CC ID 11773 Operational management Establish/Maintain Documentation
    Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 Operational management Communicate
    Update the local environment security profile, as necessary. CC ID 07043 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Establish/Maintain Documentation
    Remove all unnecessary functionality. CC ID 00882 System hardening through configuration management Configuration
    Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 System hardening through configuration management Configuration
    Restrict and control the use of privileged utility programs. CC ID 12030
    [The use of utility programs that might be capable of overriding system and application controls should be restricted and tightly controlled. § 9.4.4 Control]
    System hardening through configuration management Technical Security
    Establish, implement, and maintain authenticators. CC ID 15305 System hardening through configuration management Technical Security
    Establish, implement, and maintain an authenticator standard. CC ID 01702 System hardening through configuration management Establish/Maintain Documentation
    Establish, implement, and maintain an authenticator management system. CC ID 12031
    [The allocation of secret authentication information should be controlled through a formal management process. § 9.2.4 Control
    {interactive system} Password management systems should be interactive and should ensure quality passwords. § 9.4.3 Control]
    System hardening through configuration management Establish/Maintain Documentation
    Establish, implement, and maintain a repository of authenticators. CC ID 16372 System hardening through configuration management Data and Information Management
    Establish, implement, and maintain authenticator procedures. CC ID 12002
    [Users should be required to follow the organization’s practices in the use of secret authentication information. § 9.3.1 Control]
    System hardening through configuration management Establish/Maintain Documentation
    Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127 System hardening through configuration management Technical Security
    Configure authenticators to comply with organizational standards. CC ID 06412
    [{interactive system} Password management systems should be interactive and should ensure quality passwords. § 9.4.3 Control]
    System hardening through configuration management Configuration
    Configure the system to require new users to change their authenticator on first use. CC ID 05268 System hardening through configuration management Configuration
    Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519 System hardening through configuration management Configuration
    Configure the system to prevent unencrypted authenticator use. CC ID 04457 System hardening through configuration management Configuration
    Disable store passwords using reversible encryption. CC ID 01708 System hardening through configuration management Configuration
    Configure the system to encrypt authenticators. CC ID 06735 System hardening through configuration management Configuration
    Configure the system to mask authenticators. CC ID 02037 System hardening through configuration management Configuration
    Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992 System hardening through configuration management Configuration
    Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717 System hardening through configuration management Establish/Maintain Documentation
    Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718 System hardening through configuration management Establish/Maintain Documentation
    Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783 System hardening through configuration management Configuration
    Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719 System hardening through configuration management Establish/Maintain Documentation
    Disable machine account password changes. CC ID 01737 System hardening through configuration management Configuration
    Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720 System hardening through configuration management Establish/Maintain Documentation
    Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722 System hardening through configuration management Establish/Maintain Documentation
    Configure the "password reuse" setting to organizational standards. CC ID 08724 System hardening through configuration management Establish/Maintain Documentation
    Configure the "Disable Remember Password" setting. CC ID 05270 System hardening through configuration management Configuration
    Configure the "Minimum password age" to organizational standards. CC ID 01703 System hardening through configuration management Configuration
    Configure the LILO/GRUB password. CC ID 01576 System hardening through configuration management Configuration
    Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481 System hardening through configuration management Configuration
    Change the default password to Apple's Keychain. CC ID 04482 System hardening through configuration management Configuration
    Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483 System hardening through configuration management Configuration
    Configure the Syskey Encryption Key and associated password. CC ID 05978 System hardening through configuration management Configuration
    Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505 System hardening through configuration management Configuration
    Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534 System hardening through configuration management Configuration
    Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267 System hardening through configuration management Configuration
    Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269 System hardening through configuration management Configuration
    Configure the "Send LanMan compatible password" setting. CC ID 05271 System hardening through configuration management Configuration
    Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993 System hardening through configuration management Configuration
    Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054 System hardening through configuration management Configuration
    Set the default folder for BitLocker recovery passwords correctly. CC ID 06055 System hardening through configuration management Configuration
    Notify affected parties to keep authenticators confidential. CC ID 06787 System hardening through configuration management Behavior
    Discourage affected parties from recording authenticators. CC ID 06788 System hardening through configuration management Behavior
    Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721 System hardening through configuration management Establish/Maintain Documentation
    Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723 System hardening through configuration management Establish/Maintain Documentation
    Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866 System hardening through configuration management Configuration
    Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185 System hardening through configuration management Configuration
    Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187 System hardening through configuration management Configuration
    Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296 System hardening through configuration management Configuration
    Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355 System hardening through configuration management Configuration
    Configure the authenticator display screen to organizational standards. CC ID 13794 System hardening through configuration management Configuration
    Configure the authenticator field to disallow memorized secrets found in the memorized secret list. CC ID 13808 System hardening through configuration management Configuration
    Configure the authenticator display screen to display the memorized secret as an option. CC ID 13806 System hardening through configuration management Configuration
    Disseminate and communicate with the end user when a memorized secret entered into an authenticator field matches one found in the memorized secret list. CC ID 13807 System hardening through configuration management Communicate
    Configure the memorized secret verifiers to refrain from allowing anonymous users to access memorized secret hints. CC ID 13823 System hardening through configuration management Configuration
    Configure the system to allow paste functionality for the authenticator field. CC ID 13819 System hardening through configuration management Configuration
    Configure the system to require successful authentication before an authenticator for a user account is changed. CC ID 13821 System hardening through configuration management Configuration
    Configure Logging settings in accordance with organizational standards. CC ID 07611 System hardening through configuration management Configuration
    Configure all logs to capture auditable events or actionable events. CC ID 06332 System hardening through configuration management Configuration
    Establish, implement, and maintain records management policies. CC ID 00903 Records management Establish/Maintain Documentation
    Establish, implement, and maintain a record classification scheme. CC ID 00914 Records management Establish/Maintain Documentation
    Establish, implement, and maintain a records authentication system. CC ID 11648
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Records management Establish/Maintain Documentation
    Establish, implement, and maintain storage media disposition and destruction procedures. CC ID 11657
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Records management Establish/Maintain Documentation
    Supervise media destruction in accordance with organizational standards. CC ID 16456 Records management Business Processes
    Sanitize electronic storage media in accordance with organizational standards. CC ID 16464 Records management Data and Information Management
    Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643
    [All items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. § 11.2.7 Control]
    Records management Data and Information Management
    Degauss as a method of sanitizing electronic storage media. CC ID 00973 Records management Records Management
    Manage waste materials in accordance with the storage media disposition and destruction procedures. CC ID 16485 Records management Process or Activity
    Use approved media sanitization equipment for destruction. CC ID 16459 Records management Business Processes
    Establish, implement, and maintain records management procedures. CC ID 11619 Records management Establish/Maintain Documentation
    Protect records from loss in accordance with applicable requirements. CC ID 12007
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Records management Records Management
    Establish, implement, and maintain document security requirements for the output of records. CC ID 11656
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Records management Establish/Maintain Documentation
    Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 Records management Establish/Maintain Documentation
    Establish, implement, and maintain electronic storage media management procedures. CC ID 00931
    [Procedures should be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. § 8.3.1 Control]
    Records management Establish/Maintain Documentation
    Establish, implement, and maintain security label procedures. CC ID 06747
    [An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization. § 8.2.2 Control]
    Records management Establish/Maintain Documentation
    Label restricted storage media appropriately. CC ID 00966 Records management Data and Information Management
    Establish, implement, and maintain restricted material identification procedures. CC ID 01889 Records management Establish/Maintain Documentation
    Conspicuously locate the restricted record's overall classification. CC ID 01890 Records management Establish/Maintain Documentation
    Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 Records management Establish/Maintain Documentation
    Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 Records management Establish/Maintain Documentation
    Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 Records management Establish/Maintain Documentation
    Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 Records management Establish/Maintain Documentation
    Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 Records management Data and Information Management
    Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 Records management Technical Security
    Establish the minimum originator requirements for security labels. CC ID 06579 Records management Establish/Maintain Documentation
    Establish the minimum intermediate system requirements for security labels. CC ID 06581 Records management Establish/Maintain Documentation
    Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 Records management Establish/Maintain Documentation
    Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 Records management Establish/Maintain Documentation
    Establish and maintain access controls for all records. CC ID 00371
    [Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. § 18.1.3 Control]
    Records management Records Management
    Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 Records management Data and Information Management
    Establish, implement, and maintain a records lifecycle management program. CC ID 00951 Records management Establish/Maintain Documentation
    Establish, implement, and maintain an information preservation policy. CC ID 16483 Records management Establish/Maintain Documentation
    Establish, implement, and maintain information preservation procedures. CC ID 06277 Records management Establish/Maintain Documentation
    Implement and maintain high availability storage, as necessary. CC ID 00952 Records management Technical Security
    Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 Records management Records Management
    Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 Records management Records Management
    Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 Records management Records Management
    Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 Records management Establish/Maintain Documentation
    Establish, implement, and maintain online storage controls. CC ID 00942 Records management Technical Security
    Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 Records management Records Management
    Provide encryption for different types of electronic storage media. CC ID 00945 Records management Technical Security
    Implement electronic storage media integrity controls. CC ID 00946 Records management Configuration
    Automate electronic storage media integrity check controls. CC ID 00948 Records management Configuration
    Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 Records management Configuration
    Establish, implement, and maintain a removable storage media log. CC ID 12317 Records management Log Management
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 Records management Establish/Maintain Documentation
    Include the date and time in the removable storage media log. CC ID 12318 Records management Establish/Maintain Documentation
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 Records management Establish/Maintain Documentation
    Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Records management Establish/Maintain Documentation
    Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Records management Establish/Maintain Documentation
    Include the sender's name in the removable storage media log. CC ID 12752 Records management Establish/Maintain Documentation
    Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Records management Establish/Maintain Documentation
    Include the reason for transfer in the removable storage media log. CC ID 12316 Records management Establish/Maintain Documentation
    Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 Records management Process or Activity
    Document all actions taken when downgrading electronic storage media. CC ID 10622 Records management Establish/Maintain Documentation
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057
    [{system development} Rules for the development of software and systems should be established and applied to developments within the organization. § 14.2.1 Control]
    Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain a security controls definition document. CC ID 01080 Systems design, build, and implementation Establish/Maintain Documentation
    Include identified risks and legal requirements in the security controls definition document. CC ID 11743 Systems design, build, and implementation Establish/Maintain Documentation
    Include naming conventions in system design guidelines. CC ID 13656 Systems design, build, and implementation Establish/Maintain Documentation
    Implement manual override capability into automated systems. CC ID 14921 Systems design, build, and implementation Systems Design, Build, and Implementation
    Define and assign the system development project team roles and responsibilities. CC ID 01061 Systems design, build, and implementation Establish Roles
    Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062 Systems design, build, and implementation Establish Roles
    Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063 Systems design, build, and implementation Establish Roles
    Establish, implement, and maintain a source data collection design specification. CC ID 01070 Systems design, build, and implementation Establish/Maintain Documentation
    Establish and maintain an input requirements definition document. CC ID 01071 Systems design, build, and implementation Establish/Maintain Documentation
    Search for metadata during e-discovery. CC ID 01073 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain security design principles. CC ID 14718 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include reduced complexity of systems or system components in the security design principles. CC ID 14753 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include modularity and layering of systems or system components in the security design principles. CC ID 14750 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include secure evolvability of systems or system components in the security design principles. CC ID 14749 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include continuous protection of systems or system components in the security design principles. CC ID 14748 Systems design, build, and implementation Establish/Maintain Documentation
    Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include secure system modification of systems or system components in the security design principles. CC ID 14746 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include clear abstractions of systems or system components in the security design principles. CC ID 14745 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include least privilege of systems or system components in the security design principles. CC ID 14742 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include minimized sharing of systems or system components in the security design principles. CC ID 14741 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include acceptable security of systems or system components in the security design principles. CC ID 14740 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include minimized security elements in systems or system components in the security design principles. CC ID 14739 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include self-analysis of systems or system components in the security design principles. CC ID 14737 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include minimization of systems or system components in the security design principles. CC ID 14733 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include secure defaults in systems or system components in the security design principles. CC ID 14732 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include economic security in systems or system components in the security design principles. CC ID 14730 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include trusted components of systems or system components in the security design principles. CC ID 14729 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include procedural rigor in systems or system components in the security design principles. CC ID 14728 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include performance security of systems or system components in the security design principles. CC ID 14724 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include human factored security in systems or system components in the security design principles. CC ID 14723 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include secure metadata management of systems or system components in the security design principles. CC ID 14722 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include predicate permission of systems or system components in the security design principles. CC ID 14721 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain a system use training plan. CC ID 01089 Systems design, build, and implementation Establish/Maintain Documentation
    Train the affected users during system development life cycle projects. CC ID 01091 Systems design, build, and implementation Behavior
    Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963 Systems design, build, and implementation Establish/Maintain Documentation
    Include the physical design characteristics in the system design specification. CC ID 06927 Systems design, build, and implementation Establish/Maintain Documentation
    Separate the design and development environment from the production environment. CC ID 06088
    [{development environment} {testing environment} Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. § 12.1.4 Control]
    Systems design, build, and implementation Systems Design, Build, and Implementation
    Specify appropriate tools for the system development project. CC ID 06830 Systems design, build, and implementation Establish/Maintain Documentation
    Implement security controls in development endpoints. CC ID 16389 Systems design, build, and implementation Testing
    Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 Systems design, build, and implementation Systems Design, Build, and Implementation
    Develop systems in accordance with the system design specifications and system design standards. CC ID 01094
    [Principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation efforts. § 14.2.5 Control]
    Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain outsourced development procedures. CC ID 01141 Systems design, build, and implementation Establish/Maintain Documentation
    Protect stored manufacturing components prior to assembly. CC ID 12248 Systems design, build, and implementation Systems Design, Build, and Implementation
    Store manufacturing components in a controlled access area. CC ID 12256 Systems design, build, and implementation Physical and Environmental Protection
    Develop new products based on best practices. CC ID 01095 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain a system design specification. CC ID 04557 Systems design, build, and implementation Establish/Maintain Documentation
    Document the system architecture in the system design specification. CC ID 12287 Systems design, build, and implementation Establish/Maintain Documentation
    Include hardware requirements in the system design specification. CC ID 08666 Systems design, build, and implementation Establish/Maintain Documentation
    Include communication links in the system design specification. CC ID 08665 Systems design, build, and implementation Establish/Maintain Documentation
    Include a description of each module and asset in the system design specification. CC ID 11734 Systems design, build, and implementation Establish/Maintain Documentation
    Include supporting software requirements in the system design specification. CC ID 08664 Systems design, build, and implementation Establish/Maintain Documentation
    Establish and maintain Application Programming Interface documentation. CC ID 12203 Systems design, build, and implementation Establish/Maintain Documentation
    Include configuration options in the Application Programming Interface documentation. CC ID 12205 Systems design, build, and implementation Establish/Maintain Documentation
    Include the logical data flows and process steps in the system design specification. CC ID 08668 Systems design, build, and implementation Establish/Maintain Documentation
    Establish and maintain the system design specification in a manner that is clear and easy to read. CC ID 12286 Systems design, build, and implementation Establish/Maintain Documentation
    Include threat models in the system design specification. CC ID 06829 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include security requirements in the system design specification. CC ID 06826
    [The information security related requirements should be included in the requirements for new information systems or enhancements to existing information systems. § 14.1.1 Control]
    Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain identification card or badge architectural designs. CC ID 06591 Systems design, build, and implementation Process or Activity
    Define the physical requirements for identification cards or badges in the identification card or badge architectural designs. CC ID 06592 Systems design, build, and implementation Process or Activity
    Define the mandatory items that must appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06593 Systems design, build, and implementation Process or Activity
    Define the data elements to be stored on identification cards or badges in the identification card or badge architectural designs. CC ID 15427 Systems design, build, and implementation Systems Design, Build, and Implementation
    Define the optional items that may appear on identification cards or badges in the identification card or badge architectural designs. CC ID 06594 Systems design, build, and implementation Process or Activity
    Include security measures in the identification card or badge architectural designs. CC ID 15423 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include the logical credential data model for identification cards or badges in the identification card or badge architectural designs. CC ID 06595 Systems design, build, and implementation Process or Activity
    Establish, implement, and maintain payment card architectural designs. CC ID 16132 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain coding guidelines. CC ID 08661 Systems design, build, and implementation Establish/Maintain Documentation
    Nest elements appropriately in website content using markup languages. CC ID 15154 Systems design, build, and implementation Configuration
    Use valid HTML or other markup languages. CC ID 15153 Systems design, build, and implementation Configuration
    Establish, implement, and maintain human interface guidelines. CC ID 08662 Systems design, build, and implementation Establish/Maintain Documentation
    Ensure users can navigate content. CC ID 15163 Systems design, build, and implementation Configuration
    Create text content using language that is readable and is understandable. CC ID 15167 Systems design, build, and implementation Configuration
    Ensure user interface components are operable. CC ID 15162 Systems design, build, and implementation Configuration
    Implement mechanisms to review, confirm, and correct user submissions. CC ID 15160 Systems design, build, and implementation Configuration
    Allow users to reverse submissions. CC ID 15168 Systems design, build, and implementation Configuration
    Provide a mechanism to control audio. CC ID 15158 Systems design, build, and implementation Configuration
    Allow modification of style properties without loss of content or functionality. CC ID 15156 Systems design, build, and implementation Configuration
    Programmatically determine the name and role of user interface components. CC ID 15148 Systems design, build, and implementation Configuration
    Programmatically determine the language of content. CC ID 15137 Systems design, build, and implementation Configuration
    Provide a mechanism to dismiss content triggered by mouseover or keyboard focus. CC ID 15164 Systems design, build, and implementation Configuration
    Configure repeated navigational mechanisms to occur in the same order unless overridden by the user. CC ID 15166 Systems design, build, and implementation Configuration
    Refrain from activating a change of context when changing the setting of user interface components, as necessary. CC ID 15165 Systems design, build, and implementation Configuration
    Provide users a mechanism to remap keyboard shortcuts. CC ID 15133 Systems design, build, and implementation Configuration
    Identify the components in a set of web pages that consistently have the same functionality. CC ID 15116 Systems design, build, and implementation Process or Activity
    Provide captions for live audio content. CC ID 15120 Systems design, build, and implementation Configuration
    Programmatically determine the purpose of each data field that collects information from the user. CC ID 15114 Systems design, build, and implementation Configuration
    Provide labels or instructions when content requires user input. CC ID 15077 Systems design, build, and implementation Configuration
    Allow users to control auto-updating information, as necessary. CC ID 15159 Systems design, build, and implementation Configuration
    Use headings on all web pages and labels in all content that describes the topic or purpose. CC ID 15070 Systems design, build, and implementation Configuration
    Display website content triggered by mouseover or keyboard focus. CC ID 15152 Systems design, build, and implementation Configuration
    Ensure the purpose of links can be determined through the link text. CC ID 15157 Systems design, build, and implementation Configuration
    Use a unique title that describes the topic or purpose for each web page. CC ID 15069 Systems design, build, and implementation Configuration
    Allow the use of time limits, as necessary. CC ID 15155 Systems design, build, and implementation Configuration
    Include mechanisms for changing authenticators in human interface guidelines. CC ID 14944 Systems design, build, and implementation Establish/Maintain Documentation
    Refrain from activating a change of context in a user interface component. CC ID 15115 Systems design, build, and implementation Configuration
    Include functionality for managing user data in human interface guidelines. CC ID 14928 Systems design, build, and implementation Establish/Maintain Documentation
    Establish and maintain User Interface documentation. CC ID 12204 Systems design, build, and implementation Establish/Maintain Documentation
    Include system messages in human interface guidelines. CC ID 08663 Systems design, build, and implementation Establish/Maintain Documentation
    Include measurable system performance requirements in the system design specification. CC ID 08667 Systems design, build, and implementation Establish/Maintain Documentation
    Include the data structure in the system design specification. CC ID 08669 Systems design, build, and implementation Establish/Maintain Documentation
    Include the input and output variables in the system design specification. CC ID 08670 Systems design, build, and implementation Establish/Maintain Documentation
    Include data encryption information in the system design specification. CC ID 12209 Systems design, build, and implementation Establish/Maintain Documentation
    Include records disposition information in the system design specification. CC ID 12208 Systems design, build, and implementation Establish/Maintain Documentation
    Include how data is managed in each module in the system design specification. CC ID 12207 Systems design, build, and implementation Establish/Maintain Documentation
    Include identifying restricted data in the system design specification. CC ID 12206 Systems design, build, and implementation Establish/Maintain Documentation
    Assign appropriate parties to approve the system design specification. CC ID 13070 Systems design, build, and implementation Human Resources Management
    Disseminate and communicate the system design specification to all interested personnel and affected parties. CC ID 15468 Systems design, build, and implementation Communicate
    Implement data controls when developing systems. CC ID 15302 Systems design, build, and implementation Systems Design, Build, and Implementation
    Implement security controls when developing systems. CC ID 06270 Systems design, build, and implementation Systems Design, Build, and Implementation
    Analyze and minimize attack surfaces when developing systems. CC ID 06828 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 Systems design, build, and implementation Technical Security
    Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 Systems design, build, and implementation Technical Security
    Implement a hardware security module, as necessary. CC ID 12222 Systems design, build, and implementation Systems Design, Build, and Implementation
    Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 Systems design, build, and implementation Systems Design, Build, and Implementation
    Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 Systems design, build, and implementation Systems Design, Build, and Implementation
    Design the hardware security module to enforce the separation between applications. CC ID 12254 Systems design, build, and implementation Systems Design, Build, and Implementation
    Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 Systems design, build, and implementation Systems Design, Build, and Implementation
    Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 Systems design, build, and implementation Systems Design, Build, and Implementation
    Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 Systems design, build, and implementation Systems Design, Build, and Implementation
    Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 Systems design, build, and implementation Systems Design, Build, and Implementation
    Design the hardware security module to erase sensitive data when compromised. CC ID 12275 Systems design, build, and implementation Systems Design, Build, and Implementation
    Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 Systems design, build, and implementation Systems Design, Build, and Implementation
    Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 Systems design, build, and implementation Establish/Maintain Documentation
    Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 Systems design, build, and implementation Systems Design, Build, and Implementation
    Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247 Systems design, build, and implementation Establish/Maintain Documentation
    Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 Systems design, build, and implementation Establish/Maintain Documentation
    Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 Systems design, build, and implementation Establish/Maintain Documentation
    Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 Systems design, build, and implementation Establish/Maintain Documentation
    Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 Systems design, build, and implementation Establish/Maintain Documentation
    Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 Systems design, build, and implementation Establish/Maintain Documentation
    Install secret information into the hardware security module during manufacturing. CC ID 12249 Systems design, build, and implementation Systems Design, Build, and Implementation
    Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 Systems design, build, and implementation Systems Design, Build, and Implementation
    Install secret information under dual control into the hardware security module. CC ID 12257 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain session security coding standards. CC ID 04584 Systems design, build, and implementation Establish/Maintain Documentation
    Establish and maintain a cryptographic architecture document. CC ID 12476 Systems design, build, and implementation Establish/Maintain Documentation
    Include the algorithms used in the cryptographic architecture document. CC ID 12483 Systems design, build, and implementation Establish/Maintain Documentation
    Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 Systems design, build, and implementation Establish/Maintain Documentation
    Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 Systems design, build, and implementation Establish/Maintain Documentation
    Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 Systems design, build, and implementation Establish/Maintain Documentation
    Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 Systems design, build, and implementation Establish/Maintain Documentation
    Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 Systems design, build, and implementation Establish/Maintain Documentation
    Include the protocols used in the cryptographic architecture document. CC ID 12485 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain secure update mechanisms. CC ID 14923 Systems design, build, and implementation Systems Design, Build, and Implementation
    Implement cryptographic mechanisms to authenticate software updates before installation. CC ID 14925 Systems design, build, and implementation Systems Design, Build, and Implementation
    Automate secure update mechanisms, as necessary. CC ID 14933 Systems design, build, and implementation Systems Design, Build, and Implementation
    Follow security design requirements when developing systems. CC ID 06827 Systems design, build, and implementation Systems Design, Build, and Implementation
    Prevent unnecessary information from being added to client-side scripting languages. CC ID 07073 Systems design, build, and implementation Data and Information Management
    Use randomly generated session identifiers. CC ID 07074 Systems design, build, and implementation Technical Security
    Identify multi-project interfaces and dependencies. CC ID 06902 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain a system implementation representation document. CC ID 04558 Systems design, build, and implementation Establish/Maintain Documentation
    Include the source code in the implementation representation document. CC ID 13089 Systems design, build, and implementation Establish/Maintain Documentation
    Include the hardware schematics in the implementation representation document. CC ID 13098 Systems design, build, and implementation Establish/Maintain Documentation
    Design the security architecture. CC ID 06269 Systems design, build, and implementation Systems Design, Build, and Implementation
    Limit the embedding of data types inside other data types. CC ID 06759 Systems design, build, and implementation Technical Security
    Design the privacy architecture. CC ID 14671 Systems design, build, and implementation Systems Design, Build, and Implementation
    Review and update the privacy architecture, as necessary. CC ID 14674 Systems design, build, and implementation Establish/Maintain Documentation
    Convert workflow charts and diagrams into machine readable code. CC ID 14865 Systems design, build, and implementation Process or Activity
    Implement software development version controls. CC ID 01098 Systems design, build, and implementation Systems Design, Build, and Implementation
    Protect system libraries. CC ID 01097 Systems design, build, and implementation Technical Security
    Follow the system development process when upgrading a system. CC ID 01059 Systems design, build, and implementation Systems Design, Build, and Implementation
    Protect application program libraries. CC ID 11762 Systems design, build, and implementation Technical Security
    Include the Evaluation Assurance Levels in the system design specification. CC ID 04561 Systems design, build, and implementation Establish/Maintain Documentation
    Approve the design methodology before moving forward on the system design project. CC ID 01060 Systems design, build, and implementation Systems Design, Build, and Implementation
    Identify and redesign unsafe functions when developing systems. CC ID 06831 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish and maintain system security documentation. CC ID 06271 Systems design, build, and implementation Establish/Maintain Documentation
    Document the procedures and environment used to create the system or software. CC ID 06609
    [{system development} Rules for the development of software and systems should be established and applied to developments within the organization. § 14.2.1 Control]
    Systems design, build, and implementation Establish/Maintain Documentation
    Transmit source code securely. CC ID 06397 Systems design, build, and implementation Data and Information Management
    Digitally sign software components. CC ID 16490 Systems design, build, and implementation Process or Activity
    Establish and maintain access rights to source code based upon least privilege. CC ID 06962
    [Access to program source code should be restricted. § 9.4.5 Control]
    Systems design, build, and implementation Technical Security
    Establish, implement, and maintain a system testing policy. CC ID 01102 Systems design, build, and implementation Establish/Maintain Documentation
    Configure the test environment similar to the production environment. CC ID 06837
    [Organizations should establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. § 14.2.6 Control]
    Systems design, build, and implementation Configuration
    Establish, implement, and maintain system testing procedures. CC ID 11744 Systems design, build, and implementation Establish/Maintain Documentation
    Protect test data in the development environment. CC ID 12014
    [Test data should be selected carefully, protected and controlled. § 14.3.1 Control]
    Systems design, build, and implementation Technical Security
    Control the test data used in the development environment. CC ID 12013
    [Test data should be selected carefully, protected and controlled. § 14.3.1 Control]
    Systems design, build, and implementation Systems Design, Build, and Implementation
    Select the test data carefully. CC ID 12011
    [Test data should be selected carefully, protected and controlled. § 14.3.1 Control]
    Systems design, build, and implementation Systems Design, Build, and Implementation
    Test security functionality during the development process. CC ID 12015
    [Testing of security functionality should be carried out during development. § 14.2.8 Control]
    Systems design, build, and implementation Testing
    Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 Acquisition or sale of facilities, technology, and services Business Processes
    Establish, implement, and maintain an electronic commerce program. CC ID 08617 Acquisition or sale of facilities, technology, and services Business Processes
    Establish, implement, and maintain payment transaction security measures. CC ID 13088 Acquisition or sale of facilities, technology, and services Technical Security
    Protect the integrity of application service transactions. CC ID 12017
    [Information involved in application service transactions should be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. § 14.1.3 Control]
    Acquisition or sale of facilities, technology, and services Business Processes
    Acquire products or services. CC ID 11450 Acquisition or sale of facilities, technology, and services Acquisition/Sale of Assets or Services
    Discourage the modification of vendor-supplied software. CC ID 12016
    [Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. § 14.2.4 Control]
    Acquisition or sale of facilities, technology, and services Process or Activity
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850
    [Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable. § 18.1.4 Control
    Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable. § 18.1.4 Control]
    Privacy protection for information and data Establish/Maintain Documentation
    Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data transparency program. CC ID 00375 Privacy protection for information and data Data and Information Management
    Establish and maintain privacy notices, as necessary. CC ID 13443 Privacy protection for information and data Establish/Maintain Documentation
    Include the purpose of the privacy notice in the privacy notice. CC ID 13526 Privacy protection for information and data Establish/Maintain Documentation
    Include the processing purpose in the privacy notice. CC ID 16543 Privacy protection for information and data Establish/Maintain Documentation
    Include contact information in the privacy notice. CC ID 14432 Privacy protection for information and data Establish/Maintain Documentation
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 Privacy protection for information and data Establish/Maintain Documentation
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Privacy protection for information and data Establish/Maintain Documentation
    Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 Privacy protection for information and data Establish/Maintain Documentation
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 Privacy protection for information and data Establish/Maintain Documentation
    Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 Privacy protection for information and data Establish/Maintain Documentation
    Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 Privacy protection for information and data Establish/Maintain Documentation
    Include the personal data collection categories in the privacy notice. CC ID 13457 Privacy protection for information and data Establish/Maintain Documentation
    Include disclosure exceptions in the privacy notice. CC ID 13447 Privacy protection for information and data Establish/Maintain Documentation
    Include the types of personal data disclosed in the privacy notice. CC ID 13446 Privacy protection for information and data Establish/Maintain Documentation
    Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 Privacy protection for information and data Establish/Maintain Documentation
    Specify the time frame that notice will be given. CC ID 00385 Privacy protection for information and data Establish/Maintain Documentation
    Include the information about the appeal process in the privacy notice. CC ID 15312 Privacy protection for information and data Establish/Maintain Documentation
    Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 Privacy protection for information and data Communicate
    Deliver privacy notices to data subjects, as necessary. CC ID 13444 Privacy protection for information and data Communicate
    Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 Privacy protection for information and data Establish/Maintain Documentation
    Update privacy notices, as necessary. CC ID 13474 Privacy protection for information and data Communicate
    Redeliver privacy notices, as necessary. CC ID 14850 Privacy protection for information and data Communicate
    Deliver privacy notices to third parties, as necessary. CC ID 13473 Privacy protection for information and data Communicate
    Obtain acknowledgment of receipt of the privacy notice. CC ID 14435 Privacy protection for information and data Communicate
    Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 Privacy protection for information and data Establish/Maintain Documentation
    Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 Privacy protection for information and data Establish/Maintain Documentation
    Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 Privacy protection for information and data Establish/Maintain Documentation
    Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain opt-out notices. CC ID 13448 Privacy protection for information and data Establish/Maintain Documentation
    Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 Privacy protection for information and data Establish/Maintain Documentation
    Include the opt out method for data subjects in the opt-out notice. CC ID 13467 Privacy protection for information and data Establish/Maintain Documentation
    Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 Privacy protection for information and data Establish/Maintain Documentation
    Explain the right to opt out in the opt-out notice. CC ID 13462 Privacy protection for information and data Establish/Maintain Documentation
    Include the organization's right to share personal data in the opt-out notice. CC ID 13450 Privacy protection for information and data Establish/Maintain Documentation
    Deliver opt-out notices, as necessary. CC ID 13449 Privacy protection for information and data Communicate
    Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 Privacy protection for information and data Communicate
    Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 Privacy protection for information and data Communicate
    Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 Privacy protection for information and data Communicate
    Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391 Privacy protection for information and data Communicate
    Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819 Privacy protection for information and data Data and Information Management
    Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 Privacy protection for information and data Communicate
    Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 Privacy protection for information and data Communicate
    Provide the data subject with a notice of participation procedures. CC ID 06241 Privacy protection for information and data Establish/Maintain Documentation
    Deliver notices to the intended parties. CC ID 06240 Privacy protection for information and data Data and Information Management
    Notify data subjects about their privacy rights. CC ID 12989 Privacy protection for information and data Communicate
    Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352 Privacy protection for information and data Communicate
    Establish, implement, and maintain adequate openness procedures. CC ID 00377 Privacy protection for information and data Data and Information Management
    Provide public proof the organization participates in a privacy program. CC ID 12349 Privacy protection for information and data Communicate
    Publish a description of processing activities in an official register. CC ID 00379 Privacy protection for information and data Establish/Maintain Documentation
    Establish and maintain a records request manual. CC ID 00381 Privacy protection for information and data Establish/Maintain Documentation
    Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 Privacy protection for information and data Establish/Maintain Documentation
    Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 Privacy protection for information and data Behavior
    Define what is included in registration notices. CC ID 00386 Privacy protection for information and data Establish/Maintain Documentation
    Include roles and responsibilities in the registration notice. CC ID 16803 Privacy protection for information and data Establish Roles
    Include the verification method in the registration notice. CC ID 16798 Privacy protection for information and data Establish/Maintain Documentation
    Include the statutory authority in the registration notice. CC ID 16799 Privacy protection for information and data Establish/Maintain Documentation
    Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 Privacy protection for information and data Establish/Maintain Documentation
    Include a purpose specification description in the registration notice. CC ID 00388 Privacy protection for information and data Establish/Maintain Documentation
    Include information about the dispute resolution body in the registration notice. CC ID 16800 Privacy protection for information and data Establish/Maintain Documentation
    Include the data subject category being processed in the registration notice. CC ID 00389 Privacy protection for information and data Establish/Maintain Documentation
    Include the time period for data processing in the registration notice. CC ID 00390 Privacy protection for information and data Establish/Maintain Documentation
    Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 Privacy protection for information and data Establish/Maintain Documentation
    Provide legal authorities access to personal data, upon request. CC ID 06818 Privacy protection for information and data Data and Information Management
    Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 Privacy protection for information and data Process or Activity
    Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 Privacy protection for information and data Process or Activity
    Document the countries where restricted data may be stored. CC ID 12750 Privacy protection for information and data Data and Information Management
    Protect the rights of students and their parents or legal representatives. CC ID 00222 Privacy protection for information and data Data and Information Management
    Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 Privacy protection for information and data Technical Security
    Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 Privacy protection for information and data Records Management
    Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 Privacy protection for information and data Records Management
    Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 Privacy protection for information and data Establish/Maintain Documentation
    Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 Privacy protection for information and data Establish/Maintain Documentation
    Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 Privacy protection for information and data Establish/Maintain Documentation
    Disclose educational data, as necessary. CC ID 00223 Privacy protection for information and data Data and Information Management
    Grant access to education records in support of educational program audits. CC ID 13032 Privacy protection for information and data Records Management
    Grant access to education records in support of external requirements. CC ID 13033 Privacy protection for information and data Records Management
    Disclose statements added to education records, as necessary. CC ID 12990 Privacy protection for information and data Communicate
    Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 Privacy protection for information and data Data and Information Management
    Disclose education records when written consent is received. CC ID 00224 Privacy protection for information and data Data and Information Management
    Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 Privacy protection for information and data Establish/Maintain Documentation
    Specify the purpose of the disclosure in the written consent. CC ID 13001 Privacy protection for information and data Establish/Maintain Documentation
    Specify which education records may be disclosed in the written consent. CC ID 13000 Privacy protection for information and data Establish/Maintain Documentation
    Document the conditions when consent is not required to disclose educational data. CC ID 00225 Privacy protection for information and data Establish/Maintain Documentation
    Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 Privacy protection for information and data Communicate
    Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 Privacy protection for information and data Communicate
    Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 Privacy protection for information and data Communicate
    Disclose educational data absent consent to other school officials. CC ID 00226 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent to another institution's school officials. CC ID 00227 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent in connection with financial aid. CC ID 00229 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 Privacy protection for information and data Communicate
    Disclose educational data absent consent to accrediting organizations. CC ID 00231 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent for a health and safety emergency. CC ID 00234 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent when it is merely directory information. CC ID 00235 Privacy protection for information and data Data and Information Management
    Disclose educational data absent consent to a crime victim. CC ID 00236 Privacy protection for information and data Data and Information Management
    Record the health and safety threats of students when disclosing personal data. CC ID 12997 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 Privacy protection for information and data Communicate
    Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 Privacy protection for information and data Communicate
    Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 Privacy protection for information and data Communicate
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the data retention period for personal data. CC ID 12587 Privacy protection for information and data Process or Activity
    Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 Privacy protection for information and data Process or Activity
    Provide the data subject with the adequacy decision. CC ID 12586 Privacy protection for information and data Process or Activity
    Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 Privacy protection for information and data Process or Activity
    Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 Privacy protection for information and data Process or Activity
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 Privacy protection for information and data Data and Information Management
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 Privacy protection for information and data Business Processes
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Privacy protection for information and data Business Processes
    Notify the data subject of the right to data portability. CC ID 12603 Privacy protection for information and data Process or Activity
    Provide the data subject with information about the right to erasure. CC ID 12602 Privacy protection for information and data Process or Activity
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 Privacy protection for information and data Data and Information Management
    Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 Privacy protection for information and data Establish/Maintain Documentation
    Establish and maintain a disclosure accounting record. CC ID 13022 Privacy protection for information and data Establish/Maintain Documentation
    Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 Privacy protection for information and data Establish/Maintain Documentation
    Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 Privacy protection for information and data Establish/Maintain Documentation
    Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 Privacy protection for information and data Establish/Maintain Documentation
    Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 Privacy protection for information and data Establish/Maintain Documentation
    Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 Privacy protection for information and data Establish/Maintain Documentation
    Include the disclosure date in the disclosure accounting record. CC ID 07133 Privacy protection for information and data Establish/Maintain Documentation
    Include the disclosure recipient in the disclosure accounting record. CC ID 07134 Privacy protection for information and data Establish/Maintain Documentation
    Include the disclosure purpose in the disclosure accounting record. CC ID 07135 Privacy protection for information and data Establish/Maintain Documentation
    Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 Privacy protection for information and data Establish/Maintain Documentation
    Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 Privacy protection for information and data Establish/Maintain Documentation
    Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 Privacy protection for information and data Establish/Maintain Documentation
    Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 Privacy protection for information and data Establish/Maintain Documentation
    Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 Privacy protection for information and data Establish/Maintain Documentation
    Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 Privacy protection for information and data Communicate
    Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 Privacy protection for information and data Establish/Maintain Documentation
    Provide shareholders access to electronic messages via electronic means. CC ID 11855 Privacy protection for information and data Process or Activity
    Make telephone directory information available to the public. CC ID 08698 Privacy protection for information and data Establish/Maintain Documentation
    Display warning screens and confirmation screens for all payment transactions. CC ID 06409 Privacy protection for information and data Technical Security
    Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 Privacy protection for information and data Process or Activity
    Establish, implement, and maintain a privacy policy. CC ID 06281 Privacy protection for information and data Establish/Maintain Documentation
    Include the data subject's rights in the privacy policy. CC ID 16355 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a privacy policy model document. CC ID 14720 Privacy protection for information and data Establish/Maintain Documentation
    Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 Privacy protection for information and data Behavior
    Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 Privacy protection for information and data Establish/Maintain Documentation
    Write privacy notices in the official languages required by law. CC ID 16529 Privacy protection for information and data Establish/Maintain Documentation
    Define what is included in the privacy policy. CC ID 00404 Privacy protection for information and data Establish/Maintain Documentation
    Define the information being collected in the privacy policy. CC ID 13115 Privacy protection for information and data Establish/Maintain Documentation
    Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 Privacy protection for information and data Establish/Maintain Documentation
    Include the means by which information is collected in the privacy policy. CC ID 13114 Privacy protection for information and data Establish/Maintain Documentation
    Include roles and responsibilities in the privacy policy. CC ID 14669 Privacy protection for information and data Establish/Maintain Documentation
    Include management commitment in the privacy policy. CC ID 14668 Privacy protection for information and data Establish/Maintain Documentation
    Include coordination amongst entities in the privacy policy. CC ID 14667 Privacy protection for information and data Establish/Maintain Documentation
    Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854 Privacy protection for information and data Establish/Maintain Documentation
    Include compliance requirements in the privacy policy. CC ID 14666 Privacy protection for information and data Establish/Maintain Documentation
    Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 Privacy protection for information and data Establish/Maintain Documentation
    Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 Privacy protection for information and data Establish/Maintain Documentation
    Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 Privacy protection for information and data Establish/Maintain Documentation
    Include a complaint form in the privacy policy. CC ID 12364 Privacy protection for information and data Establish/Maintain Documentation
    Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 Privacy protection for information and data Establish/Maintain Documentation
    Include the processing purpose in the privacy policy. CC ID 00406 Privacy protection for information and data Establish/Maintain Documentation
    Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117 Privacy protection for information and data Establish/Maintain Documentation
    Include the data subject categories being processed in the privacy policy. CC ID 00407 Privacy protection for information and data Establish/Maintain Documentation
    Define the retention period for collected information in the privacy policy. CC ID 13116 Privacy protection for information and data Establish/Maintain Documentation
    Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 Privacy protection for information and data Establish/Maintain Documentation
    Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 Privacy protection for information and data Establish/Maintain Documentation
    Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 Privacy protection for information and data Establish/Maintain Documentation
    Include instructions on how to opt-out in the privacy policy. CC ID 00411 Privacy protection for information and data Establish/Maintain Documentation
    Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 Privacy protection for information and data Establish/Maintain Documentation
    Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 Privacy protection for information and data Establish/Maintain Documentation
    Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 Privacy protection for information and data Establish/Maintain Documentation
    Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 Privacy protection for information and data Establish/Maintain Documentation
    Post the privacy policy in an easily seen location. CC ID 00401 Privacy protection for information and data Establish/Maintain Documentation
    Define who will receive the privacy policy. CC ID 00402 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 Privacy protection for information and data Communicate
    Establish, implement, and maintain privacy procedures. CC ID 14665 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664 Privacy protection for information and data Communicate
    Establish, implement, and maintain a privacy plan. CC ID 14672 Privacy protection for information and data Establish/Maintain Documentation
    Align the enterprise architecture with the privacy plan. CC ID 14705 Privacy protection for information and data Process or Activity
    Approve the privacy plan. CC ID 14700 Privacy protection for information and data Business Processes
    Include privacy requirements in the privacy plan. CC ID 14699 Privacy protection for information and data Establish/Maintain Documentation
    Include the information types in the privacy plan. CC ID 14695 Privacy protection for information and data Establish/Maintain Documentation
    Include threats in the privacy plan. CC ID 14694 Privacy protection for information and data Establish/Maintain Documentation
    Include roles and responsibilities in the privacy plan. CC ID 14702 Privacy protection for information and data Establish/Maintain Documentation
    Include a description of the operational context in the privacy plan. CC ID 14692 Privacy protection for information and data Establish/Maintain Documentation
    Include risk assessment results in the privacy plan. CC ID 14701 Privacy protection for information and data Establish/Maintain Documentation
    Include the security categorizations and rationale in the privacy plan. CC ID 14690 Privacy protection for information and data Establish/Maintain Documentation
    Include security controls in the privacy plan. CC ID 14681 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680 Privacy protection for information and data Communicate
    Include a description of the operational environment in the privacy plan. CC ID 14679 Privacy protection for information and data Establish/Maintain Documentation
    Include network diagrams in the privacy plan. CC ID 14678 Privacy protection for information and data Establish/Maintain Documentation
    Include the results of the privacy risk assessment in the privacy plan. CC ID 14677 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a privacy report. CC ID 14754 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761 Privacy protection for information and data Communicate
    Protect private communications in keeping with compliance requirements. CC ID 14334 Privacy protection for information and data Business Processes
    Establish, implement, and maintain personal data choice and consent program. CC ID 12569 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data request procedures. CC ID 16546 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 Privacy protection for information and data Human Resources Management
    Refrain from charging a fee to implement an opt-out request. CC ID 13877 Privacy protection for information and data Business Processes
    Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 Privacy protection for information and data Establish/Maintain Documentation
    Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 Privacy protection for information and data Establish/Maintain Documentation
    Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 Privacy protection for information and data Establish/Maintain Documentation
    Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 Privacy protection for information and data Establish/Maintain Documentation
    Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 Privacy protection for information and data Establish/Maintain Documentation
    Include the identity of the data subject in the disclosure authorization form. CC ID 13436 Privacy protection for information and data Establish/Maintain Documentation
    Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 Privacy protection for information and data Establish/Maintain Documentation
    Include how personal data will be used in the disclosure authorization form. CC ID 13441 Privacy protection for information and data Establish/Maintain Documentation
    Include agreement termination information in the disclosure authorization form. CC ID 13437 Privacy protection for information and data Establish/Maintain Documentation
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 Privacy protection for information and data Business Processes
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Privacy protection for information and data Business Processes
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 Privacy protection for information and data Data and Information Management
    Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 Privacy protection for information and data Business Processes
    Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 Privacy protection for information and data Business Processes
    Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 Privacy protection for information and data Data and Information Management
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 Privacy protection for information and data Business Processes
    Confirm the individual's identity before granting an opt-out request. CC ID 16813 Privacy protection for information and data Process or Activity
    Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 Privacy protection for information and data Establish/Maintain Documentation
    Allow consent requests to be provided in any official languages. CC ID 16530 Privacy protection for information and data Business Processes
    Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 Privacy protection for information and data Communicate
    Collect and retain disclosure authorizations for each data subject. CC ID 13434 Privacy protection for information and data Records Management
    Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 Privacy protection for information and data Data and Information Management
    Refrain from obtaining consent through deception. CC ID 13556 Privacy protection for information and data Data and Information Management
    Give individuals the ability to change the uses of their personal data. CC ID 00469 Privacy protection for information and data Data and Information Management
    Notify data subjects of the implications of withdrawing consent. CC ID 13551 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Establish/Maintain Documentation
    Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 Privacy protection for information and data Human Resources Management
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Establish Roles
    Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 Privacy protection for information and data Human Resources Management
    Notify the supervisory authority. CC ID 00472 Privacy protection for information and data Behavior
    Establish, implement, and maintain approval applications. CC ID 16778 Privacy protection for information and data Establish/Maintain Documentation
    Define the requirements for approving or denying approval applications. CC ID 16780 Privacy protection for information and data Business Processes
    Submit approval applications to the supervisory authority. CC ID 16627 Privacy protection for information and data Communicate
    Include required information in the approval application. CC ID 16628 Privacy protection for information and data Establish/Maintain Documentation
    Extend the time limit for approving or denying approval applications. CC ID 16779 Privacy protection for information and data Business Processes
    Approve the approval application unless applicant has been convicted. CC ID 16603 Privacy protection for information and data Process or Activity
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 Privacy protection for information and data Process or Activity
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Privacy protection for information and data Communicate
    Cooperate with Data Protection Authorities. CC ID 06870 Privacy protection for information and data Data and Information Management
    Submit a safe harbor self-certification letter. CC ID 06871 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 Privacy protection for information and data Human Resources Management
    Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 Privacy protection for information and data Establish/Maintain Documentation
    Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 Privacy protection for information and data Establish/Maintain Documentation
    Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 Privacy protection for information and data Establish/Maintain Documentation
    Include data subject's rights in the Binding Corporate Rules. CC ID 12596 Privacy protection for information and data Establish/Maintain Documentation
    Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 Privacy protection for information and data Establish/Maintain Documentation
    Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 Privacy protection for information and data Establish/Maintain Documentation
    Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 Privacy protection for information and data Establish/Maintain Documentation
    Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 Privacy protection for information and data Establish/Maintain Documentation
    Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 Privacy protection for information and data Establish/Maintain Documentation
    Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 Privacy protection for information and data Establish/Maintain Documentation
    Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 Privacy protection for information and data Establish/Maintain Documentation
    Include complaint procedures in the Binding Corporate Rules. CC ID 12613 Privacy protection for information and data Establish/Maintain Documentation
    Include the data transfers in the Binding Corporate Rules. CC ID 12590 Privacy protection for information and data Establish/Maintain Documentation
    Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 Privacy protection for information and data Establish/Maintain Documentation
    Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 Privacy protection for information and data Establish/Maintain Documentation
    Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 Privacy protection for information and data Establish/Maintain Documentation
    Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 Privacy protection for information and data Establish/Maintain Documentation
    Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 Privacy protection for information and data Establish/Maintain Documentation
    Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 Privacy protection for information and data Establish/Maintain Documentation
    Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 Privacy protection for information and data Establish/Maintain Documentation
    Notify the data controller of any changes in data processors. CC ID 12648 Privacy protection for information and data Communicate
    Establish, implement, and maintain Data Processing Contracts. CC ID 12650 Privacy protection for information and data Establish/Maintain Documentation
    Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 Privacy protection for information and data Establish/Maintain Documentation
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Privacy protection for information and data Establish/Maintain Documentation
    Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 Privacy protection for information and data Establish/Maintain Documentation
    Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 Privacy protection for information and data Establish/Maintain Documentation
    Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 Privacy protection for information and data Establish/Maintain Documentation
    Include the duration of processing in the Data Processing Contract. CC ID 14935 Privacy protection for information and data Establish/Maintain Documentation
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 Privacy protection for information and data Human Resources Management
    Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 Privacy protection for information and data Establish/Maintain Documentation
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Privacy protection for information and data Establish/Maintain Documentation
    Display or print the least amount of personal data necessary. CC ID 04643 Privacy protection for information and data Data and Information Management
    Redact confidential information from public information, as necessary. CC ID 06872 Privacy protection for information and data Data and Information Management
    Notify the data subject of the collection purpose. CC ID 00095 Privacy protection for information and data Behavior
    Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 Privacy protection for information and data Data and Information Management
    Document the law that requires restricted data to be collected. CC ID 00103 Privacy protection for information and data Establish/Maintain Documentation
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Privacy protection for information and data Behavior
    Notify the data subject of changes to personal data use. CC ID 00105 Privacy protection for information and data Behavior
    Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 Privacy protection for information and data Establish/Maintain Documentation
    Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 Privacy protection for information and data Establish/Maintain Documentation
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Privacy protection for information and data Behavior
    Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 Privacy protection for information and data Establish/Maintain Documentation
    Dispose of media and restricted data in a timely manner. CC ID 00125 Privacy protection for information and data Data and Information Management
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Privacy protection for information and data Records Management
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Communicate
    Establish, implement, and maintain data access procedures. CC ID 00414 Privacy protection for information and data Establish/Maintain Documentation
    Allow data subjects to submit data requests. CC ID 16545 Privacy protection for information and data Process or Activity
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Data and Information Management
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Privacy protection for information and data Data and Information Management
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Data and Information Management
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Data and Information Management
    Provide assistance to requesters in preparing data access requests. CC ID 13588 Privacy protection for information and data Data and Information Management
    Require data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Establish/Maintain Documentation
    Define what is to be included in a data access request. CC ID 08699 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Business Processes
    Respond to data access requests in a timely manner. CC ID 00421 Privacy protection for information and data Behavior
    Delay responding to data access requests, as necessary. CC ID 15504 Privacy protection for information and data Data and Information Management
    Expedite the processing of data access requests, as necessary. CC ID 15496 Privacy protection for information and data Data and Information Management
    Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 Privacy protection for information and data Business Processes
    Define what is included in a request for a waiver or reduction of fees. CC ID 15522 Privacy protection for information and data Process or Activity
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Establish/Maintain Documentation
    Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 Privacy protection for information and data Data and Information Management
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Establish/Maintain Documentation
    Submit personal data removal requests in writing. CC ID 11973 Privacy protection for information and data Records Management
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Establish/Maintain Documentation
    Notify third parties of data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Establish/Maintain Documentation
    Allow affected third parties to consent or object to a data access request. CC ID 08704 Privacy protection for information and data Process or Activity
    Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 Privacy protection for information and data Establish/Maintain Documentation
    Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 Privacy protection for information and data Data and Information Management
    Disclose de-identified data, as necessary. CC ID 13034 Privacy protection for information and data Communicate
    Notify the data subject after personal data is used or disclosed. CC ID 06247 Privacy protection for information and data Behavior
    Refrain from processing restricted data, as necessary. CC ID 12551 Privacy protection for information and data Records Management
    Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 Privacy protection for information and data Process or Activity
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 Privacy protection for information and data Business Processes
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 Privacy protection for information and data Process or Activity
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 Privacy protection for information and data Data and Information Management
    Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 Privacy protection for information and data Data and Information Management
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Privacy protection for information and data Business Processes
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Privacy protection for information and data Business Processes
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Privacy protection for information and data Business Processes
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Privacy protection for information and data Business Processes
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Privacy protection for information and data Business Processes
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Privacy protection for information and data Process or Activity
    Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 Privacy protection for information and data Establish/Maintain Documentation
    Include the data protection officer's contact information in the record of processing activities. CC ID 12640 Privacy protection for information and data Records Management
    Include the data processor's contact information in the record of processing activities. CC ID 12657 Privacy protection for information and data Records Management
    Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 Privacy protection for information and data Records Management
    Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 Privacy protection for information and data Records Management
    Include a description of the data subject categories in the record of processing activities. CC ID 12659 Privacy protection for information and data Records Management
    Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 Privacy protection for information and data Records Management
    Include the personal data processing categories in the record of processing activities. CC ID 12661 Privacy protection for information and data Records Management
    Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 Privacy protection for information and data Records Management
    Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 Privacy protection for information and data Records Management
    Include a description of the personal data categories in the record of processing activities. CC ID 12660 Privacy protection for information and data Records Management
    Include the joint data controller's contact information in the record of processing activities. CC ID 12639 Privacy protection for information and data Records Management
    Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 Privacy protection for information and data Records Management
    Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 Privacy protection for information and data Records Management
    Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 Privacy protection for information and data Records Management
    Include the data controller's contact information in the record of processing activities. CC ID 12637 Privacy protection for information and data Records Management
    Process restricted data lawfully and carefully. CC ID 00086 Privacy protection for information and data Establish Roles
    Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 Privacy protection for information and data Technical Security
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Privacy protection for information and data Data and Information Management
    Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 Privacy protection for information and data Records Management
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Privacy protection for information and data Establish/Maintain Documentation
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Privacy protection for information and data Data and Information Management
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Privacy protection for information and data Records Management
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Privacy protection for information and data Process or Activity
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Privacy protection for information and data Records Management
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Privacy protection for information and data Data and Information Management
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Privacy protection for information and data Establish/Maintain Documentation
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Privacy protection for information and data Establish/Maintain Documentation
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Privacy protection for information and data Data and Information Management
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Privacy protection for information and data Data and Information Management
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Privacy protection for information and data Establish/Maintain Documentation
    Define and implement valid authorization control requirements. CC ID 06258 Privacy protection for information and data Establish/Maintain Documentation
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Privacy protection for information and data Data and Information Management
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Privacy protection for information and data Data and Information Management
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Privacy protection for information and data Data and Information Management
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Privacy protection for information and data Data and Information Management
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Privacy protection for information and data Data and Information Management
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Privacy protection for information and data Data and Information Management
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Privacy protection for information and data Data and Information Management
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Privacy protection for information and data Data and Information Management
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Privacy protection for information and data Data and Information Management
    Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 Privacy protection for information and data Data and Information Management
    Process traffic data in a controlled manner. CC ID 00130 Privacy protection for information and data Data and Information Management
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Privacy protection for information and data Data and Information Management
    Process personal data when it is publicly accessible. CC ID 00187 Privacy protection for information and data Data and Information Management
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Privacy protection for information and data Data and Information Management
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010 Privacy protection for information and data Business Processes
    Process personal data for the purposes of employment. CC ID 16527 Privacy protection for information and data Data and Information Management
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Privacy protection for information and data Data and Information Management
    Process personal data for debt collection or benefit payments. CC ID 00190 Privacy protection for information and data Data and Information Management
    Process personal data in order to advance the public interest. CC ID 00191 Privacy protection for information and data Data and Information Management
    Process personal data for surveys, archives, or scientific research. CC ID 00192 Privacy protection for information and data Data and Information Management
    Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 Privacy protection for information and data Data and Information Management
    Process personal data for academic purposes or religious purposes. CC ID 00194 Privacy protection for information and data Data and Information Management
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Privacy protection for information and data Data and Information Management
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Privacy protection for information and data Data and Information Management
    Follow legal obligations while processing personal data. CC ID 04794 Privacy protection for information and data Data and Information Management
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Privacy protection for information and data Data and Information Management
    Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 Privacy protection for information and data Data and Information Management
    Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 Privacy protection for information and data Process or Activity
    Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 Privacy protection for information and data Data and Information Management
    Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 Privacy protection for information and data Data and Information Management
    Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 Privacy protection for information and data Data and Information Management
    Process personal data absent consent in order to perform a contract. CC ID 13586 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 Privacy protection for information and data Data and Information Management
    Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 Privacy protection for information and data Data and Information Management
    Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is needed by law. CC ID 13577 Privacy protection for information and data Data and Information Management
    Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is from publicly available information. CC ID 13576 Privacy protection for information and data Data and Information Management
    Process personal data absent consent to create a credit report. CC ID 15288 Privacy protection for information and data Data and Information Management
    Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 Privacy protection for information and data Data and Information Management
    Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when produced for business purposes. CC ID 13563 Privacy protection for information and data Data and Information Management
    Process personal data absent consent for handling insurance claims. CC ID 13561 Privacy protection for information and data Data and Information Management
    Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 Privacy protection for information and data Data and Information Management
    Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 Privacy protection for information and data Data and Information Management
    Process personal data absent consent for life-threatening emergencies. CC ID 13558 Privacy protection for information and data Data and Information Management
    Process personal data absent consent for reasonable investigative purposes. CC ID 13557 Privacy protection for information and data Data and Information Management
    Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 Privacy protection for information and data Behavior
    Define security breach notification requirement exceptions. CC ID 04797 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 Privacy protection for information and data Records Management
    Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 Privacy protection for information and data Data and Information Management
    Define what restricted data is not required to be disclosed absent consent. CC ID 00134 Privacy protection for information and data Establish/Maintain Documentation
    Define the exceptions to disclosure absent consent. CC ID 00135 Privacy protection for information and data Establish/Maintain Documentation
    Define opt-out exceptions for disclosing restricted data. CC ID 00159 Privacy protection for information and data Establish/Maintain Documentation
    Define how a data subject may give consent. CC ID 00160 Privacy protection for information and data Establish/Maintain Documentation
    Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 Privacy protection for information and data Communicate
    Disclose restricted data absent consent when the law does not require consent. CC ID 00136 Privacy protection for information and data Data and Information Management
    Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 Privacy protection for information and data Data and Information Management
    Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent to create a credit report. CC ID 15297 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent for handling insurance claims. CC ID 13585 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent in order to perform a contract. CC ID 00139 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 Privacy protection for information and data Data and Information Management
    Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 Privacy protection for information and data Data and Information Management
    Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 Privacy protection for information and data Data and Information Management
    Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent for public economic interests. CC ID 00148 Privacy protection for information and data Data and Information Management
    Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 Privacy protection for information and data Data and Information Management
    Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when it is needed by law. CC ID 00163 Privacy protection for information and data Data and Information Management
    Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 Privacy protection for information and data Data and Information Management
    Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 Privacy protection for information and data Data and Information Management
    Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 Privacy protection for information and data Communicate
    Establish, implement, and maintain restricted data retention procedures. CC ID 00167 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Privacy protection for information and data Establish/Maintain Documentation
    Capture personal data removal requests. CC ID 13507 Privacy protection for information and data Communicate
    Remove personal data from records after receiving a personal data removal request. CC ID 11972 Privacy protection for information and data Records Management
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Privacy protection for information and data Process or Activity
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Privacy protection for information and data Process or Activity
    Dispose of personal data removal requests, as necessary. CC ID 13512 Privacy protection for information and data Business Processes
    Limit the redisclosure and reuse of restricted data. CC ID 00168 Privacy protection for information and data Data and Information Management
    Refrain from redisclosing or reusing restricted data. CC ID 00169 Privacy protection for information and data Data and Information Management
    Document the redisclosing restricted data exceptions. CC ID 00170 Privacy protection for information and data Establish/Maintain Documentation
    Redisclose restricted data when the data subject consents. CC ID 00171 Privacy protection for information and data Data and Information Management
    Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 Privacy protection for information and data Data and Information Management
    Redisclose restricted data in order to protect public revenue. CC ID 00173 Privacy protection for information and data Data and Information Management
    Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 Privacy protection for information and data Data and Information Management
    Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 Privacy protection for information and data Data and Information Management
    Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 Privacy protection for information and data Data and Information Management
    Redisclose restricted data in order to preserve human life at sea. CC ID 00177 Privacy protection for information and data Data and Information Management
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 Privacy protection for information and data Data and Information Management
    Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 Privacy protection for information and data Data and Information Management
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Privacy protection for information and data Data and Information Management
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Privacy protection for information and data Data and Information Management
    Process Personal Identification Numbers with consent. CC ID 00239 Privacy protection for information and data Data and Information Management
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Privacy protection for information and data Behavior
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Privacy protection for information and data Data and Information Management
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Privacy protection for information and data Data and Information Management
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Privacy protection for information and data Data and Information Management
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Privacy protection for information and data Data and Information Management
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Privacy protection for information and data Establish/Maintain Documentation
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Privacy protection for information and data Data and Information Management
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Privacy protection for information and data Data and Information Management
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Privacy protection for information and data Data and Information Management
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Privacy protection for information and data Data and Information Management
    Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain data disclosure procedures. CC ID 00133 Privacy protection for information and data Establish/Maintain Documentation
    Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 Privacy protection for information and data Data and Information Management
    Review personal data disclosure requests. CC ID 07129 Privacy protection for information and data Data and Information Management
    Notify the data subject of the disclosure purpose. CC ID 15268 Privacy protection for information and data Communicate
    Establish, implement, and maintain data request denial procedures. CC ID 00434 Privacy protection for information and data Establish/Maintain Documentation
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 Privacy protection for information and data Data and Information Management
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Privacy protection for information and data Data and Information Management
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Privacy protection for information and data Data and Information Management
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Privacy protection for information and data Process or Activity
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Privacy protection for information and data Data and Information Management
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Privacy protection for information and data Data and Information Management
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Privacy protection for information and data Data and Information Management
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Privacy protection for information and data Data and Information Management
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Privacy protection for information and data Data and Information Management
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Privacy protection for information and data Data and Information Management
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Privacy protection for information and data Data and Information Management
    Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 Privacy protection for information and data Data and Information Management
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Privacy protection for information and data Communicate
    Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 Privacy protection for information and data Data and Information Management
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Privacy protection for information and data Process or Activity
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 Privacy protection for information and data Data and Information Management
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Privacy protection for information and data Data and Information Management
    Notify that data subject of any exclusions to requested personal data. CC ID 15271 Privacy protection for information and data Communicate
    Provide data or records in a reasonable time frame. CC ID 00429 Privacy protection for information and data Data and Information Management
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 Privacy protection for information and data Communicate
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Privacy protection for information and data Data and Information Management
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Privacy protection for information and data Data and Information Management
    Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 Privacy protection for information and data Data and Information Management
    Provide data at a cost that is not excessive. CC ID 00430 Privacy protection for information and data Data and Information Management
    Provide records or data in a reasonable manner. CC ID 00431 Privacy protection for information and data Data and Information Management
    Provide personal data in a form that is intelligible. CC ID 00432 Privacy protection for information and data Data and Information Management
    Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Privacy protection for information and data Data and Information Management
    Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Privacy protection for information and data Data and Information Management
    Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 Privacy protection for information and data Data and Information Management
    Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 Privacy protection for information and data Establish/Maintain Documentation
    Include cookie management in the privacy framework. CC ID 13809 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain cookie management procedures. CC ID 13810 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Privacy protection for information and data Establish/Maintain Documentation
    Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 Privacy protection for information and data Data and Information Management
    Refrain from collecting personal data, as necessary. CC ID 15269 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Privacy protection for information and data Establish/Maintain Documentation
    Use personal data for specified purposes. CC ID 11831 Privacy protection for information and data Data and Information Management
    Post the collection purpose. CC ID 00101 Privacy protection for information and data Establish/Maintain Documentation
    Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 Privacy protection for information and data Data and Information Management
    Document each individual's personal data collection consent preferences. CC ID 06945 Privacy protection for information and data Establish/Maintain Documentation
    Provide explicit consent that is clear and unambiguous. CC ID 00181 Privacy protection for information and data Data and Information Management
    Allow individuals to change their personal data collection consent preferences. CC ID 06946 Privacy protection for information and data Data and Information Management
    Adhere to each individual's personal data collection consent preferences. CC ID 06947 Privacy protection for information and data Data and Information Management
    Notify the data subject of the source of collected personal data. CC ID 00083 Privacy protection for information and data Behavior
    Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 Privacy protection for information and data Data and Information Management
    Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 Privacy protection for information and data Data and Information Management
    Establish and maintain a personal data definition. CC ID 00028 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's name in the personal data definition. CC ID 04710 Privacy protection for information and data Data and Information Management
    Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 Privacy protection for information and data Data and Information Management
    Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 Privacy protection for information and data Data and Information Management
    Include an individual's signature in the personal data definition. CC ID 04711 Privacy protection for information and data Data and Information Management
    Include an individual's date of birth in the personal data definition. CC ID 04770 Privacy protection for information and data Data and Information Management
    Include the number of children in the personal data definition. CC ID 13759 Privacy protection for information and data Establish/Maintain Documentation
    Include the individual's religion in the personal data definition. CC ID 13765 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 Privacy protection for information and data Data and Information Management
    Include an individual's biometric data in the personal data definition. CC ID 04698 Privacy protection for information and data Data and Information Management
    Include an individual's photographic image in the personal data definition. CC ID 04779 Privacy protection for information and data Data and Information Management
    Include an individual's fingerprints in the personal data definition. CC ID 04689 Privacy protection for information and data Data and Information Management
    Include an individual's address in the personal data definition. CC ID 04687 Privacy protection for information and data Data and Information Management
    Include an individual's telephone number in the personal data definition. CC ID 04688 Privacy protection for information and data Data and Information Management
    Include an individual's fax number in the personal data definition. CC ID 07120 Privacy protection for information and data Data and Information Management
    Include an individual's political party affiliation in the personal data definition. CC ID 13764 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's license plate number in the personal data definition. CC ID 13763 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's financial account number in the personal data definition. CC ID 04692 Privacy protection for information and data Data and Information Management
    Include an individual's account balances in the personal data definition. CC ID 13770 Privacy protection for information and data Establish/Maintain Documentation
    Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 Privacy protection for information and data Data and Information Management
    Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 Privacy protection for information and data Data and Information Management
    Include an individual's logon credentials in the personal data definition. CC ID 13771 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 Privacy protection for information and data Data and Information Management
    Include an individual's passport number in the personal data definition. CC ID 04713 Privacy protection for information and data Data and Information Management
    Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 Privacy protection for information and data Data and Information Management
    Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 Privacy protection for information and data Data and Information Management
    Include an individual's military identification number in the personal data definition. CC ID 13083 Privacy protection for information and data Establish/Maintain Documentation
    Include an individual's e-mail address in the personal data definition. CC ID 04696 Privacy protection for information and data Data and Information Management
    Include electronic signatures in the personal data definition. CC ID 04697 Privacy protection for information and data Data and Information Management
    Include an individual's payment card information in the personal data definition. CC ID 04751 Privacy protection for information and data Data and Information Management
    Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 Privacy protection for information and data Data and Information Management
    Include an individual's payment card service code in the personal data definition. CC ID 04753 Privacy protection for information and data Data and Information Management
    Include an individual's payment card expiration date in the personal data definition. CC ID 04755 Privacy protection for information and data Data and Information Management
    Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 Privacy protection for information and data Data and Information Management
    Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 Privacy protection for information and data Data and Information Management
    Include an individual's medical history in the personal data definition. CC ID 04701 Privacy protection for information and data Data and Information Management
    Include an individual's medical treatment in the personal data definition. CC ID 04702 Privacy protection for information and data Data and Information Management
    Include an individual's medical diagnosis in the personal data definition. CC ID 04703 Privacy protection for information and data Data and Information Management
    Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 Privacy protection for information and data Data and Information Management
    Include an individual's medical record numbers in the personal data definition. CC ID 07121 Privacy protection for information and data Data and Information Management
    Include an individual's health insurance information in the personal data definition. CC ID 04705 Privacy protection for information and data Data and Information Management
    Include an individual's health insurance policy number in the personal data definition. CC ID 04706 Privacy protection for information and data Data and Information Management
    Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 Privacy protection for information and data Data and Information Management
    Include an individual's education information in the personal data definition. CC ID 04714 Privacy protection for information and data Data and Information Management
    Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 Privacy protection for information and data Data and Information Management
    Include an individual's employment information in the personal data definition. CC ID 04715 Privacy protection for information and data Data and Information Management
    Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 Privacy protection for information and data Data and Information Management
    Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 Privacy protection for information and data Data and Information Management
    Include an individual's employment history in the personal data definition. CC ID 04716 Privacy protection for information and data Data and Information Management
    Include an individual's place of employment in the personal data definition. CC ID 04765 Privacy protection for information and data Data and Information Management
    Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 Privacy protection for information and data Data and Information Management
    Include an individual's property information in the personal data definition. CC ID 04780 Privacy protection for information and data Data and Information Management
    Include an individual's property title in the personal data definition. CC ID 04781 Privacy protection for information and data Data and Information Management
    Include an individual's vehicle registration in the personal data definition. CC ID 04782 Privacy protection for information and data Data and Information Management
    Include hardware asset identification information in the personal data definition. CC ID 07123 Privacy protection for information and data Data and Information Management
    Include MAC addresses in the personal data definition. CC ID 04778 Privacy protection for information and data Data and Information Management
    Include Internet Protocol addresses in the personal data definition. CC ID 04777 Privacy protection for information and data Data and Information Management
    Include asset serial numbers in the personal data definition. CC ID 07124 Privacy protection for information and data Data and Information Management
    Include Uniform Resource Locators in the personal data definition. CC ID 07125 Privacy protection for information and data Data and Information Management
    Refrain from including publicly available information in the personal data definition. CC ID 13084 Privacy protection for information and data Establish/Maintain Documentation
    Define specially restricted data. CC ID 00037 Privacy protection for information and data Data and Information Management
    Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 Privacy protection for information and data Data and Information Management
    Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 Privacy protection for information and data Data and Information Management
    Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 Privacy protection for information and data Data and Information Management
    Implement a nondiscrimination principle. CC ID 00081 Privacy protection for information and data Data and Information Management
    Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 Privacy protection for information and data Data and Information Management
    Preserve each individual's right to human dignity. CC ID 00082 Privacy protection for information and data Data and Information Management
    Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 Privacy protection for information and data Data and Information Management
    Employ a random number generator to create authenticators. CC ID 13782 Privacy protection for information and data Technical Security
    Collect Personal Identification Numbers with the individual's consent. CC ID 00059 Privacy protection for information and data Data and Information Management
    Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 Privacy protection for information and data Data and Information Management
    Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 Privacy protection for information and data Data and Information Management
    Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 Privacy protection for information and data Data and Information Management
    Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 Privacy protection for information and data Behavior
    Manage health data collection. CC ID 00050 Privacy protection for information and data Data and Information Management
    Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 Privacy protection for information and data Data and Information Management
    Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 Privacy protection for information and data Data and Information Management
    Collect Individually Identifiable Health Information for research. CC ID 00054 Privacy protection for information and data Data and Information Management
    Remove personal data before disclosing health data. CC ID 00055 Privacy protection for information and data Data and Information Management
    Give special attention to collecting children's data. CC ID 00038 Privacy protection for information and data Data and Information Management
    Use simple understandable language to collect information from children. CC ID 00039 Privacy protection for information and data Behavior
    Notify parents or legal representatives of what information is collected from children. CC ID 00040 Privacy protection for information and data Establish/Maintain Documentation
    Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 Privacy protection for information and data Data and Information Management
    Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Privacy protection for information and data Establish/Maintain Documentation
    Collect personal data directly from the data subject. CC ID 00011 Privacy protection for information and data Data and Information Management
    Create and manage user account aliases to maintain pseudonymity. CC ID 04549 Privacy protection for information and data Data and Information Management
    Provide unlinkability for users and resources. CC ID 04550 Privacy protection for information and data Data and Information Management
    Provide unobservability of users and resources. CC ID 04551 Privacy protection for information and data Technical Security
    Collect restricted data in a fair and lawful manner. CC ID 00010 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent in order to make a disclosure. CC ID 13550 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent for handling insurance claims. CC ID 13543 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 Privacy protection for information and data Data and Information Management
    Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent from publicly available information. CC ID 00019 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent when needed by law. CC ID 00020 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent to create a credit report. CC ID 15287 Privacy protection for information and data Data and Information Management
    Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 Privacy protection for information and data Data and Information Management
    Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 Privacy protection for information and data Data and Information Management
    Collect the minimum amount of restricted data necessary. CC ID 00078 Privacy protection for information and data Data and Information Management
    Collect restricted data in a proper information framework. CC ID 00009 Privacy protection for information and data Data and Information Management
    Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 Privacy protection for information and data Data and Information Management
    Collect restricted data when required by law. CC ID 00031 Privacy protection for information and data Data and Information Management
    Collect restricted data to prevent life-threatening emergencies. CC ID 00032 Privacy protection for information and data Data and Information Management
    Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 Privacy protection for information and data Data and Information Management
    Collect restricted data for legal purposes. CC ID 00036 Privacy protection for information and data Data and Information Management
    Provide the data subject with information about the data controller during the collection process. CC ID 00023 Privacy protection for information and data Establish/Maintain Documentation
    Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 Privacy protection for information and data Communicate
    Provide the data subject with the data collector's name and contact information. CC ID 00024 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 Privacy protection for information and data Establish/Maintain Documentation
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Privacy protection for information and data Data and Information Management
    Protect electronic messaging information. CC ID 12022
    [Information involved in electronic messaging should be appropriately protected. § 13.2.3 Control]
    Privacy protection for information and data Technical Security
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Privacy protection for information and data Data and Information Management
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Configuration
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Configuration
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Configuration
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Privacy protection for information and data Technical Security
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Data and Information Management
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Log Management
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Log Management
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Privacy protection for information and data Technical Security
    Implement security measures to protect personal data. CC ID 13606 Privacy protection for information and data Technical Security
    Implement physical controls to protect personal data. CC ID 00355 Privacy protection for information and data Testing
    Limit data leakage. CC ID 00356 Privacy protection for information and data Data and Information Management
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Privacy protection for information and data Monitor and Evaluate Occurrences
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Privacy protection for information and data Business Processes
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Privacy protection for information and data Acquisition/Sale of Assets or Services
    Alert appropriate personnel when data leakage is detected. CC ID 14715 Privacy protection for information and data Process or Activity
    Include text about data ownership in the data handling policy. CC ID 15720 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain call metadata controls. CC ID 04790 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 Privacy protection for information and data Data and Information Management
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Privacy protection for information and data Data and Information Management
    Store de-identifying code and re-identifying code separately. CC ID 16535 Privacy protection for information and data Data and Information Management
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Privacy protection for information and data Data and Information Management
    Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 Privacy protection for information and data Communicate
    Establish, implement, and maintain data handling procedures. CC ID 11756 Privacy protection for information and data Establish/Maintain Documentation
    Define personal data that falls under breach notification rules. CC ID 00800 Privacy protection for information and data Establish/Maintain Documentation
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Privacy protection for information and data Data and Information Management
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Privacy protection for information and data Data and Information Management
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Privacy protection for information and data Data and Information Management
    Define an out of scope privacy breach. CC ID 04677 Privacy protection for information and data Establish/Maintain Documentation
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Privacy protection for information and data Business Processes
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Privacy protection for information and data Monitor and Evaluate Occurrences
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Privacy protection for information and data Monitor and Evaluate Occurrences
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Privacy protection for information and data Monitor and Evaluate Occurrences
    Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 Privacy protection for information and data Communicate
    Establish, implement, and maintain a personal data transfer program. CC ID 00307 Privacy protection for information and data Establish/Maintain Documentation
    Obtain consent from an individual prior to transferring personal data. CC ID 06948 Privacy protection for information and data Data and Information Management
    Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 Privacy protection for information and data Business Processes
    Notify data subjects when their personal data is transferred. CC ID 00352 Privacy protection for information and data Behavior
    Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 Privacy protection for information and data Establish/Maintain Documentation
    Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 Privacy protection for information and data Communicate
    Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 Privacy protection for information and data Data and Information Management
    Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 Privacy protection for information and data Data and Information Management
    Prohibit the transfer of personal data when security is inadequate. CC ID 00345 Privacy protection for information and data Data and Information Management
    Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 Privacy protection for information and data Data and Information Management
    Refrain from transferring past the first transfer. CC ID 00347 Privacy protection for information and data Data and Information Management
    Document transfer disagreements by the data subject in writing. CC ID 00348 Privacy protection for information and data Establish/Maintain Documentation
    Allow the data subject the right to object to the personal data transfer. CC ID 00349 Privacy protection for information and data Data and Information Management
    Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 Privacy protection for information and data Records Management
    Follow the instructions of the data transferrer. CC ID 00334 Privacy protection for information and data Behavior
    Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 Privacy protection for information and data Establish/Maintain Documentation
    Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 Privacy protection for information and data Data and Information Management
    Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 Privacy protection for information and data Data and Information Management
    Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 Privacy protection for information and data Data and Information Management
    Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 Privacy protection for information and data Data and Information Management
    Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 Privacy protection for information and data Data and Information Management
    Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 Privacy protection for information and data Data and Information Management
    Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 Privacy protection for information and data Data and Information Management
    Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 Privacy protection for information and data Data and Information Management
    Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 Privacy protection for information and data Data and Information Management
    Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 Privacy protection for information and data Data and Information Management
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 Privacy protection for information and data Data and Information Management
    Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 Privacy protection for information and data Data and Information Management
    Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 Privacy protection for information and data Business Processes
    Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 Privacy protection for information and data Establish/Maintain Documentation
    Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 Privacy protection for information and data Data and Information Management
    Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 Privacy protection for information and data Data and Information Management
    Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 Privacy protection for information and data Data and Information Management
    Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 Privacy protection for information and data Data and Information Management
    Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 Privacy protection for information and data Data and Information Management
    Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 Privacy protection for information and data Data and Information Management
    Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 Privacy protection for information and data Data and Information Management
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 Privacy protection for information and data Data and Information Management
    Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 Privacy protection for information and data Communicate
    Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 Privacy protection for information and data Behavior
    Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949 Privacy protection for information and data Establish/Maintain Documentation
    Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 Privacy protection for information and data Data and Information Management
    Obtain consent prior to downloading software to an individual's computer. CC ID 06951 Privacy protection for information and data Data and Information Management
    Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 Privacy protection for information and data Process or Activity
    Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 Privacy protection for information and data Process or Activity
    Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 Privacy protection for information and data Process or Activity
    Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a privacy impact assessment. CC ID 13712 Privacy protection for information and data Establish/Maintain Documentation
    Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 Privacy protection for information and data Establish/Maintain Documentation
    Include how to grant consent in the privacy impact assessment. CC ID 15519 Privacy protection for information and data Establish/Maintain Documentation
    Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 Privacy protection for information and data Establish/Maintain Documentation
    Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 Privacy protection for information and data Establish/Maintain Documentation
    Include data handling procedures in the privacy impact assessment. CC ID 15516 Privacy protection for information and data Establish/Maintain Documentation
    Include the intended use of information in the privacy impact assessment. CC ID 15515 Privacy protection for information and data Establish/Maintain Documentation
    Include the reason information is being collected in the privacy impact assessment. CC ID 15514 Privacy protection for information and data Establish/Maintain Documentation
    Include the type of information to be collected in the privacy impact assessment. CC ID 15513 Privacy protection for information and data Business Processes
    Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 Privacy protection for information and data Communicate
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Data and Information Management
    Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 Privacy protection for information and data Behavior
    Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 Privacy protection for information and data Establish/Maintain Documentation
    Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 Privacy protection for information and data Business Processes
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Privacy protection for information and data Data and Information Management
    Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 Privacy protection for information and data Establish/Maintain Documentation
    Include potential remedies in the privacy dispute resolution program. CC ID 12531 Privacy protection for information and data Establish/Maintain Documentation
    Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 Privacy protection for information and data Establish/Maintain Documentation
    Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 Privacy protection for information and data Establish/Maintain Documentation
    Document unresolved challenges. CC ID 13568 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 Privacy protection for information and data Establish/Maintain Documentation
    Notify individuals of their right to challenge personal data. CC ID 00457 Privacy protection for information and data Data and Information Management
    Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 Privacy protection for information and data Data and Information Management
    Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 Privacy protection for information and data Configuration
    Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 Privacy protection for information and data Human Resources Management
    Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 Privacy protection for information and data Data and Information Management
    Investigate the disputed accuracy of personal data. CC ID 00461 Privacy protection for information and data Data and Information Management
    Notify third parties of unresolved challenges. CC ID 13559 Privacy protection for information and data Communicate
    Document disagreements as to whether personal data is complete and accurate. CC ID 06952 Privacy protection for information and data Establish/Maintain Documentation
    Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 Privacy protection for information and data Establish/Maintain Documentation
    Include the allegations against the organization in the notice of investigation. CC ID 13031 Privacy protection for information and data Establish/Maintain Documentation
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 Privacy protection for information and data Behavior
    Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 Privacy protection for information and data Behavior
    Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 Privacy protection for information and data Behavior
    Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 Privacy protection for information and data Behavior
    Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 Privacy protection for information and data Behavior
    Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 Privacy protection for information and data Behavior
    Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 Privacy protection for information and data Behavior
    Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 Privacy protection for information and data Behavior
    Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 Privacy protection for information and data Behavior
    Define the organization's liability based on the applicable law. CC ID 00504 Privacy protection for information and data Establish/Maintain Documentation
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Privacy protection for information and data Establish/Maintain Documentation
    Define the appeal process based on the applicable law. CC ID 00506 Privacy protection for information and data Establish/Maintain Documentation
    Define the fee structure for the appeal process. CC ID 16532 Privacy protection for information and data Process or Activity
    Define the time requirements for the appeal process. CC ID 16531 Privacy protection for information and data Process or Activity
    Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 Privacy protection for information and data Communicate
    Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 Privacy protection for information and data Communicate
    Provide notice of proposed penalties. CC ID 06216 Privacy protection for information and data Establish/Maintain Documentation
    Notify the public and other agencies after a penalty becomes final. CC ID 06217 Privacy protection for information and data Behavior
    Establish, implement, and maintain a supply chain management program. CC ID 11742 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of the product or service to be provided in third party contracts. CC ID 06509 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of the products or services fees in third party contracts. CC ID 10018 Third Party and supply chain oversight Establish/Maintain Documentation
    Include which parties are responsible for which fees in third party contracts. CC ID 10019 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543
    [{information flow agreement} {establish} Agreements should address the secure transfer of business information between the organization and external parties. § 13.2.2 Control]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Include the type of information being transmitted in the information flow agreement. CC ID 14245 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the security requirements in the information flow agreement. CC ID 14244 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the interface characteristics in the information flow agreement. CC ID 14240 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 Third Party and supply chain oversight Establish/Maintain Documentation
    Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [All relevant information security requirements should be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information. § 15.1.2 Control]
    Third Party and supply chain oversight Business Processes
    Include text about data ownership in third party contracts. CC ID 06502 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the contract duration in third party contracts. CC ID 16221 Third Party and supply chain oversight Establish/Maintain Documentation
    Include roles and responsibilities in third party contracts. CC ID 13487 Third Party and supply chain oversight Establish/Maintain Documentation
    Include cryptographic keys in third party contracts. CC ID 16179 Third Party and supply chain oversight Establish/Maintain Documentation
    Include bankruptcy provisions in third party contracts. CC ID 16519 Third Party and supply chain oversight Establish/Maintain Documentation
    Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506
    [Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented. § 15.1.1 Control]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 Third Party and supply chain oversight Establish/Maintain Documentation
    Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 Third Party and supply chain oversight Establish/Maintain Documentation
    Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a reporting structure in third party contracts. CC ID 06532 Third Party and supply chain oversight Establish/Maintain Documentation
    Include points of contact in third party contracts. CC ID 12355 Third Party and supply chain oversight Establish/Maintain Documentation
    Include financial reporting in third party contracts, as necessary. CC ID 13573 Third Party and supply chain oversight Establish/Maintain Documentation
    Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 Third Party and supply chain oversight Establish/Maintain Documentation
    Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 Third Party and supply chain oversight Establish/Maintain Documentation
    Include training requirements in third party contracts. CC ID 16367 Third Party and supply chain oversight Acquisition/Sale of Assets or Services
    Include an indemnification and liability clause in third party contracts. CC ID 06517 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text regarding foreign-based third parties in third party contracts. CC ID 06722 Third Party and supply chain oversight Establish/Maintain Documentation
    Include change control clauses in third party contracts, as necessary. CC ID 06523
    [Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. § 15.2.2 Control]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 Third Party and supply chain oversight Establish/Maintain Documentation
    Include triggers for renegotiating the contract in third party contracts. CC ID 06527 Third Party and supply chain oversight Establish/Maintain Documentation
    Include change control notification processes in third party contracts. CC ID 06524 Third Party and supply chain oversight Establish/Maintain Documentation
    Include cost structure changes in third party contracts. CC ID 10021 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a choice of venue clause in third party contracts. CC ID 06520 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a dispute resolution clause in third party contracts. CC ID 06519 Third Party and supply chain oversight Establish/Maintain Documentation
    Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 Third Party and supply chain oversight Establish/Maintain Documentation
    Include early termination contingency plans in the third party contracts. CC ID 06526 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 Third Party and supply chain oversight Establish/Maintain Documentation
    Include termination costs in third party contracts. CC ID 10023 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about obtaining adequate insurance in third party contracts. CC ID 06880 Third Party and supply chain oversight Establish/Maintain Documentation
    Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 Third Party and supply chain oversight Establish/Maintain Documentation
    Include end-of-life information in third party contracts. CC ID 15265 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 Third Party and supply chain oversight Establish/Maintain Documentation
    Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 Third Party and supply chain oversight Establish/Maintain Documentation
    Include disclosure requirements in third party contracts. CC ID 08825 Third Party and supply chain oversight Business Processes
    Include requirements for alternate processing facilities in third party contracts. CC ID 13059 Third Party and supply chain oversight Establish/Maintain Documentation
    Include risk management procedures in the supply chain management policy. CC ID 08811 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029
    [Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets should be agreed with the supplier and documented. § 15.1.1 Control
    Agreements with suppliers should include requirements to address the information security risks associated with information and communications technology services and product supply chain. § 15.1.3 Control]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Third Party and supply chain oversight Business Processes
    Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819
    [Organizations should regularly monitor, review and audit supplier service delivery. § 15.2.1 Control]
    Third Party and supply chain oversight Business Processes
    Review the supply chain's service delivery on a regular basis. CC ID 12010
    [Organizations should regularly monitor, review and audit supplier service delivery. § 15.2.1 Control]
    Third Party and supply chain oversight Business Processes