0002826
ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
International Organization for Standardization
International or National Standard
For Purchase
ISO/IEC 27018:2014
ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
2014-08-01
The document as a whole was last reviewed and released on 2017-05-09T00:00:00-0700.
0002826
For Purchase
International Organization for Standardization
International or National Standard
ISO/IEC 27018:2014
ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
2014-08-01
The document as a whole was last reviewed and released on 2017-05-09T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance. CC ID 12371 [The information security policies should be augmented by a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and the contractual terms agreed between the public cloud PII processor and its clients (cloud service customers). § 5.1.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Establish/Maintain Documentation | Detective | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [{technical measures} Where the use of PII for testing purposes cannot be avoided a risk assessment should be undertaken. Technical and organizational measures should be implemented to minimize the risks identified. § 12.1.4 ¶ 3] | Audits and Risk Management | Preventive | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Process or Activity | Detective | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Process or Activity | Detective | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and Risk Management | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Behavior | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [{training} Measures should be put in place to make relevant staff aware of the possible consequences on the public cloud PII processor (e.g. legal consequences, loss of business and brand or reputational damage), on the staff member (e.g. disciplinary consequences) and on the PII principal (e.g. physical, material and emotional consequences) of breaching privacy or security rules and procedures, especially those addressing the handling of PII. § 7.2.2 ¶ 3] | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Establish/Maintain Documentation | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Log Management | Detective | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 | Log Management | Detective | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Log information recorded for purposes such as security monitoring and operational diagnostics may contain PII. Measures, such as controlling access (see 9.2.3), should be put in place to ensure that logged information is only used for its intended purposes. § 12.4.2 ¶ 3] | Log Management | Preventive | |
| Protect the event logs from failure. CC ID 06290 | Log Management | Preventive | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Data and Information Management | Preventive | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Testing | Preventive | |
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Establish/Maintain Documentation | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Establish/Maintain Documentation | Preventive | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Audits and Risk Management | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [A process should be put in place to review event logs with a specified, documented periodicity, to identify irregularities and propose remediation efforts. § 12.4.1 ¶ 3] | Log Management | Detective | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Log Management | Corrective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Log Management | Detective | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Technical Security | Detective | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Investigate | Corrective | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Log Management | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 [The public cloud PII processor should define criteria regarding if, when and how log information can be made available to or usable by the cloud service customer. These procedures should be made available to the cloud service customer. § 12.4.1 ¶ 5] | Establish/Maintain Documentation | Preventive | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Technical Security | Preventive | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Log Management | Preventive | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Technical Security | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Log Management | Preventive | |
| Back up audit trails according to backup procedures. CC ID 11642 | Systems Continuity | Preventive | |
| Back up logs according to backup procedures. CC ID 01344 | Log Management | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Log Management | Preventive | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Log Management | Preventive | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Log Management | Preventive | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Log Management | Preventive | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Log Management | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 [Where a cloud service customer is permitted to access log records controlled by the public cloud PII processor, the public cloud PII processor should ensure that the cloud service customer can only access records that relate to that cloud service customer’s activities, and cannot access any log records which relate to the activities of other cloud service customers. § 12.4.1 ¶ 6] | Log Management | Preventive | |
| Perform testing and validating activities on all logs. CC ID 06322 | Log Management | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Log Management | Preventive | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Configuration | Preventive | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Log Management | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Audits and Risk Management | Preventive | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{backup procedures} The back-up and recovery procedures should be reviewed at a specified, documented frequency. § 12.3.1 ¶ 7] | Establish/Maintain Documentation | Preventive | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Systems Continuity | Corrective | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Establish/Maintain Documentation | Preventive | |
| Report changes in the continuity plan to senior management. CC ID 12757 | Communicate | Corrective | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Communicate | Preventive | |
| Maintain normal security levels when an emergency occurs. CC ID 06377 | Systems Continuity | Preventive | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Systems Continuity | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Human Resources Management | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Establish/Maintain Documentation | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Establish/Maintain Documentation | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Human Resources Management | Preventive | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Systems Continuity | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Configuration | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Establish/Maintain Documentation | Preventive | |
| Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Behavior | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 | Systems Continuity | Corrective | |
| Include the continuity strategy in the continuity plan. CC ID 13189 | Establish/Maintain Documentation | Preventive | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 | Establish/Maintain Documentation | Preventive | |
| Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Technical Security | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Establish/Maintain Documentation | Preventive | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Process or Activity | Preventive | |
| Monitor and evaluate business continuity management system performance. CC ID 12410 | Monitor and Evaluate Occurrences | Detective | |
| Record business continuity management system performance for posterity. CC ID 12411 | Monitor and Evaluate Occurrences | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Process or Activity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Establish/Maintain Documentation | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Establish/Maintain Documentation | Preventive | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Establish/Maintain Documentation | Preventive | |
| Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Establish Roles | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Establish/Maintain Documentation | Corrective | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Communicate | Preventive | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Establish/Maintain Documentation | Preventive | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Configuration | Preventive | |
| Install a generator sized to support the facility. CC ID 06709 | Configuration | Preventive | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Acquisition/Sale of Assets or Services | Preventive | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Establish/Maintain Documentation | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Establish/Maintain Documentation | Preventive | |
| Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Systems Continuity | Preventive | |
| Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 | Testing | Detective | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Communicate | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Establish/Maintain Documentation | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 | Establish/Maintain Documentation | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Establish/Maintain Documentation | Preventive | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 | Testing | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Communicate | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 [Procedures should be put in place to allow for restoration of data processing operations within a specified, documented period after a disruptive event. § 12.3.1 ¶ 6 {data restoration process} There should be a procedure for, and a log of, data restoration efforts. § A.10.3 ¶ 2] | Establish Roles | Preventive | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Establish/Maintain Documentation | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Communicate | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Systems Continuity | Preventive | |
| Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Systems Continuity | Preventive | |
| Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Systems Continuity | Preventive | |
| Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Systems Continuity | Corrective | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [{backup procedures} The back-up and recovery procedures should be reviewed at a specified, documented frequency. § 12.3.1 ¶ 7 The public cloud PII processor should have a policy which addresses the requirements for backup of information and any further requirements (e.g. contractual and/or legal requirements) for the erasure of PII contained in information held for backup purposes. § 12.3.1 ¶ 10] | Systems Continuity | Preventive | |
| Determine which data elements to back up. CC ID 13483 | Data and Information Management | Detective | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 | Systems Continuity | Preventive | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Physical and Environmental Protection | Preventive | |
| Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 | Testing | Detective | |
| Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Configuration | Preventive | |
| Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Establish/Maintain Documentation | Preventive | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Systems Continuity | Detective | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 [Information processing systems based on the cloud computing model introduce additional or alternative mechanisms to off-site backups for protecting against loss of data, ensuring continuity of data processing operations, and providing the ability to restore data processing operations after a disruptive event. Multiple copies of data in physically and/or logically diverse locations (which may be within the information processing system itself) should be created or maintained for the purposes of backup and/or recovery. § 12.3.1 ¶ 3] | Data and Information Management | Preventive | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Data and Information Management | Preventive | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Systems Continuity | Preventive | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Data and Information Management | Preventive | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Systems Continuity | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Data and Information Management | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Manage cloud services. CC ID 13144 | Business Processes | Preventive | |
| Protect clients' hosted environments. CC ID 11862 [The public cloud PII processor should ensure that whenever data storage space is assigned to a cloud service customer, any data previously residing on that storage space is not visible to that cloud service customer. § A.10.13 ¶ 2] | Physical and Environmental Protection | Preventive | |
| Notify cloud customers of the geographic locations of the cloud service organization and its assets. CC ID 13037 | Communicate | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [In cases where individual cloud service customer audits are impractical or may increase risks to security (see 0.1), the public cloud PII processor should make available to prospective cloud service customers, prior to entering into, and for the duration of, a contract, independent evidence that information security is implemented and operated in accordance with the public cloud PII processor’s policies and procedures. A relevant independent audit as selected by the public cloud PII processor should normally be an acceptable method for fulfilling the cloud service customer’s interest in reviewing the public cloud PII processor’s processing operations, provided sufficient transparency is provided. § 18.2.1 ¶ 3] | Communicate | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [{portable computing device} {removable media} Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented. § A.10.5 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 [An up-to-date record of the users or profiles of users who have authorized access to the information system should be maintained. § A.10.9 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 [Where public disclosure of sub-contractor information is assessed to increase security risk beyond acceptable limits, disclosure should be made under a non-disclosure agreement and/or on the request of the cloud service customer. The cloud service customer should be made aware that the information is available. § A.7.1 ¶ 6] | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [The public cloud PII processor should define criteria regarding if, when and how log information can be made available to or usable by the cloud service customer. These procedures should be made available to the cloud service customer. § 12.4.1 ¶ 5] | Behavior | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
| Include detection procedures in the Incident Management program. CC ID 00588 | Establish/Maintain Documentation | Preventive | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [An information security incident should trigger a review by the public cloud PII processor, as part of its information security incident management process, to determine if a data breach involving PII has taken place (see A.9.1). § 16.1.1 ¶ 3] | Testing | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Monitor and Evaluate Occurrences | Corrective | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [The public cloud PII processor should promptly notify the relevant cloud service customer in the event of any unauthorized access to PII or unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of PII. § A.9.1 ¶ 2] | Behavior | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Behavior | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
| Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Include information required by law in incident response notifications. CC ID 00802 | Establish/Maintain Documentation | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Establish/Maintain Documentation | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 [{data restoration process} There should be a procedure for, and a log of, data restoration efforts. § A.10.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
| Document the organization's local environments. CC ID 06726 [The objective specified in ISO/IEC 27002:2013, 5.1 applies. § 5.1 ¶ 1 Control 5.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 5.1.1 ¶ 1 Control 5.1.2 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 5.1.2 ¶ 1 The objective specified in ISO/IEC 27002:2013, 6.1 applies. § 6.1 ¶ 1 Control 6.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 6.1.1 ¶ 1 Control 6.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 6.1.2 ¶ 1 Control 6.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 6.1.3 ¶ 1 Control 6.1.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 6.1.4 ¶ 1 Control 6.1.5 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 6.1.5 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 6.2 apply. § 6.2 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 7.1 apply. § 7.1 ¶ 1 The objective specified in ISO/IEC 27002:2013, 7.2 applies. § 7.2 ¶ 1 Control 7.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 7.2.1 ¶ 1 Control 7.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 7.2.2 ¶ 1 Control 7.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 7.2.3 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 7.3 apply. § 7.3 ¶ 1 The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 8 apply. § 8 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 9.1 apply. § 9.1 ¶ 1 The objective specified in ISO/IEC 27002:2013, 9.2 applies. The following sector-specific guidance also applies to the implementation of all of the controls under this subclause (9.2). § 9.2 ¶ 1 Control 9.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 9.2.1 ¶ 1 Control 9.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.2 ¶ 1 Control 9.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.3 ¶ 1 Control 9.2.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.4 ¶ 1 Control 9.2.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.5 ¶ 1 Control 9.2.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.6 ¶ 1 The objective specified in ISO/IEC 27002:2013, 9.3 applies. § 9.3 ¶ 1 Control 9.3.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 9.3.1 ¶ 1 Control 9.4.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 9.4.1 ¶ 1 Control 9.4.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 9.4.2 ¶ 1 Control 9.4.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.4.3 ¶ 1 Control 9.4.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.4.4 ¶ 1 Control 9.4.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.4.5 ¶ 1 Control 10.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 10.1.1 ¶ 1 Control 10.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 10.1.2 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 11.1 apply. § 11.1 ¶ 1 The objective specified in ISO/IEC 27002:2013, 11.2 applies. § 11.2 ¶ 1 Control 11.2.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 11.2.1 ¶ 1 Control 11.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 11.2.2 ¶ 1 Control 11.2.3 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 11.2.3 ¶ 1 Control 11.2.4 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 11.2.4 ¶ 1 Control 11.2.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 11.2.5 ¶ 1 Control 11.2.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 11.2.6 ¶ 1 Control 11.2.7 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 11.2.7 ¶ 1 Control 11.2.8 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 11.2.8 ¶ 1 Control 11.2.9 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 11.2.9 ¶ 1 The objective specified in ISO/IEC 27002:2013, 12.1 applies. § 12.1 ¶ 1 Control 12.1.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 12.1.1 ¶ 1 Control 12.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 12.1.2 ¶ 1 Control 12.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 12.1.3 ¶ 1 Control 12.1.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 12.1.4 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.2 apply. § 12.2 ¶ 1 The objective specified in ISO/IEC 27002:2013, 12.3 applies. § 12.3 ¶ 1 Control 12.3.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 12.3.1 ¶ 1 NOTE 1 Individual jurisdictions may impose specific requirements regarding the frequency of backups. Organizations operating in these jurisdictions should ensure that they comply with these requirements. § 12.3.1 ¶ 5 NOTE 2 Individual jurisdictions may impose specific requirements regarding the frequency of reviews of backup and recovery procedures. Organizations operating in these jurisdictions should ensure that they comply with these requirements. § 12.3.1 ¶ 8 The objective specified in ISO/IEC 27002:2013, 12.4 applies. § 12.4 ¶ 1 Control 12.4.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 12.4.1 ¶ 1 Control 12.4.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 12.4.2 ¶ 1 Control 12.4.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 12.4.3 ¶ 1 Control 12.4.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 12.4.4 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.5 apply. § 12.5 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.6 apply. § 12.6 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.7 apply. § 12.7 ¶ 1 The objective specified in ISO/IEC 27002:2013, 13.2 applies. § 13.2 ¶ 1 Control 13.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 13.2.1 ¶ 1 Control 13.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 13.2.2 ¶ 1 Control 13.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 13.2.3 ¶ 1 Control 13.2.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 13.2.4 ¶ 1 The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 14 apply. § 14 ¶ 1 The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 15 apply. § 15 ¶ 1 The objective specified in ISO/IEC 27002:2013, 16.1 applies. The following sector-specific guidance also applies to the implementation of all of the controls under this subclause (16.1). § 16.1 ¶ 1 Control 16.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 16.1.1 ¶ 1 Control 16.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.2 ¶ 1 Control 16.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.3 ¶ 1 Control 16.1.4 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 16.1.4 ¶ 1 Control 16.1.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.5 ¶ 1 Control 16.1.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.6 ¶ 1 Control 16.1.7 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.7 ¶ 1 The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 17 apply. § 17 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 18.1 apply. § 18.1 ¶ 1 The objective specified in ISO/IEC 27002:2013, 18.2 applies. § 18.2 ¶ 1 Control 18.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 18.2.1 ¶ 1 Control 18.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 18.2.2 ¶ 1 Control 18.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 18.2.3 ¶ 1 For the purposes of secure disposal or re-use, equipment containing storage media that may possibly contain PII should be treated as though it does. § 11.2.7 ¶ 3 The use of sub-contractors to store replicated or backup copies of data being processed is covered by the controls in this International Standard applying to sub-contracted PII processing. Where physical media transfers take place this is also covered by controls in this International Standard. § 12.3.1 ¶ 9 The objective specified in, and the contents of, ISO/IEC 27002:2013, 13.1 apply. § 13.1 ¶ 1 In the context of the whole cloud computing reference architecture, there may be shared roles in the management of information security incidents and making improvements. There may be a need for the public cloud PII processor to cooperate with the cloud service customer in implementing the controls in this subclause. § 16.1 ¶ 3 An information security event should not necessarily trigger such a review. An information security event is one that does not result in actual, or the significant probability of, unauthorized access to PII or to any of the public cloud PII processor’s equipment or facilities storing PII, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks and packet sniffing. § 16.1.1 ¶ 4 No additional controls are relevant to this privacy principle. § A.3 ¶ 1 Implementation guidance on PII erasure is provided in A.10.11. § A.4.1 ¶ 4 An example of a possible prohibition on disclosure would be a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation. § A.5.1 ¶ 5 No additional controls are relevant to this privacy principle. § A.6 ¶ 1 No additional controls are relevant to this privacy principle. § A.8 ¶ 1 In some jurisdictions, relevant legislation or regulations may require the public cloud PII processor to directly notify appropriate regulatory authorities (e.g. a PII protection authority) of a data breach involving PII. § A.9.1 ¶ 7 Review of current and historical policies and procedures may be required, e.g. in the cases of customer dispute resolution and investigation by a PII protection authority. A minimum retention period of five years is recommended in the absence of a specific legal or contractual requirement. § A.9.2 ¶ 4 At some point in time, PII may need to be disposed of in some manner. This may involve returning the PII to the cloud service customer, transferring it to another public cloud PII processor or to a PII controller (e.g. as a result of a merger), securely deleting or otherwise destroying it, anonymizing it or archiving it. § A.9.3 ¶ 4 Hardcopy material includes material created by printing. § A.10.2 ¶ 4 In some cases, e.g. the exchange of e-mail, the inherent characteristics of public data-transmission network systems might require that some header or traffic data be exposed for effective transmission. § A.10.6 ¶ 4 Where multiple service providers are involved in providing service from different service categories of the cloud computing reference architecture, there may be varied or shared roles in implementing this guidance. § A.10.6 ¶ 5 In the context of the whole cloud computing reference architecture, the cloud service customer may be responsible for some or all aspects of user ID management for cloud service users under its control. § A.10.10 ¶ 4 Information security and PII protection obligations relevant to the public cloud PII processor may arise directly from applicable law. Where this is not the case, PII protection obligations relevant to the public cloud PII processor should be covered in the contract. § A.10.11 ¶ 4 The use of sub-contractors to store backup copies is covered by this control (see A.7.1). § A.10.12 ¶ 4 Upon deletion by a cloud service user of data held in an information system, performance issues may mean that explicit erasure of those data is impractical. This creates the risk that another user may be able to read the data. Such risk should be avoided by specific technical measures. § A.10.13 ¶ 4 No specific guidance is especially appropriate for dealing with all cases in implementing this control. However, as an example, some cloud infrastructure, platforms or applications will return zeroes if a cloud service user attempts to read storage space which has not been overwritten by that user’s own data. § A.10.13 ¶ 5 The PII controller’s obligations in this respect may be defined by law, by regulations or by contract. These obligations may include matters where the cloud service customer uses the services of the public cloud PII processor for implementation. For example, this could include the correction or deletion of PII in a timely fashion. § A.1.1 ¶ 4 Instructions may be contained in the contract between the public cloud PII processor and the cloud service customer including, e.g. the objective and time frame to be achieved by the service. § A.2.1 ¶ 4 Where the PII controller depends on the public cloud PII processor for information or technical measures to facilitate the exercise of PII principals’ rights, the relevant information or technical measures should be specified in the contract. § A.1.1 ¶ 5 In order to achieve the cloud service customer’s purpose, there may be technical reasons why it is appropriate for a public cloud PII processor to determine the method for processing PII, consistent with the general instructions of the cloud service customer but without the cloud service customer’s express instruction. For example, in order to efficiently utilize network or processing capacity it may be necessary to allocate specific processing resources depending on certain characteristics of the PII principal. In circumstances where the public cloud PII processor’s determination of the processing method involves the collection and use of PII, the public cloud PII processor should adhere to the relevant privacy principles set forth in ISO/IEC 29100. § A.2.1 ¶ 5 The public cloud PII processor should provide the cloud service customer with all relevant information, in a timely fashion, to allow the cloud service customer to ensure the public cloud PII processor’s compliance with purpose specification and limitation principles and ensure that no PII is processed by the public cloud PII processor or any of its sub-contractors for further purposes independent of the instructions of the cloud service customer. § A.2.1 ¶ 6 Information systems may create temporary files in the normal course of their operation. Such files are specific to the system or application, but may include file system roll-back journals and temporary files associated with the updating of databases and the operation of other application software. Temporary files are not needed after the related information processing task has completed but there are circumstances in which they may not be deleted. The length of time for which these files remain in use is not always deterministic but a “garbage collection” procedure should identify the relevant files and determine how long it has been since they were last used. § A.4.1 ¶ 5 PII processing information systems should implement a periodic check that unused temporary files above a specified age are deleted. § A.4.1 ¶ 6 The public cloud PII processor should provide contractual guarantees that it will reject any requests for PII disclosure that are not legally binding, consult the corresponding cloud service customer where legally permissible before making any PII disclosure and accept any contractually agreed requests for PII disclosures that are authorized by the corresponding cloud service customer. § A.5.1 ¶ 4 PII may be disclosed during the course of normal operations. These disclosures should be recorded (see 12.4.1). Any additional disclosures to third parties, such as those arising from lawful investigations or external audits, should also be recorded. The records should include the source of the disclosure and the source of the authority to make the disclosure. § A.5.2 ¶ 4 Provisions for the use of sub-contractors to process PII should be transparent in the contract between the public cloud PII processor and the cloud service customer. The contract should specify that sub-contractors may only be commissioned on the basis of a consent that can generally be given by the cloud service customer at the beginning of the service. The public cloud PII processor should inform the cloud service customer in a timely fashion of any intended changes in this regard so that the cloud service customer has the ability to object to such changes or to terminate the contract. § A.7.1 ¶ 4 Information disclosed should cover the fact that sub-contracting is used and the names of relevant sub-contractors, but not any business-specific details. The information disclosed should also include the countries in which sub-contractors may process data (see A.11.1) and the means by which sub-contractors are obliged to meet or exceed the obligations of the public cloud PII processor (see A.10.12). § A.7.1 ¶ 5 In the event that a data breach involving PII has occurred, a record should be maintained with a description of the incident, the time period, the consequences of the incident, the name of the reporter, to whom the incident was reported, the steps taken to resolve the incident (including the person in charge and the data recovered) and the fact that the incident resulted in loss, disclosure or alteration of PII. § A.9.1 ¶ 5 Provisions covering the notification of a data breach involving PII should form part of the contract between the public cloud PII processor and the cloud service customer. The contract should specify how the public cloud PII processor will provide the information necessary for the cloud service customer to fulfil his obligation to notify relevant authorities. This notification obligation does not extend to a data breach caused by the cloud service customer or PII principal or within system components for which they are responsible. The contract should also define the maximum delay in notification of a data breach involving PII. § A.9.1 ¶ 4 In the event that a data breach involving PII has occurred, the record should also include a description of the data compromised, if known; and if notifications were performed, the steps taken to notify the cloud service customer and/or regulatory agencies. § A.9.1 ¶ 6 The public cloud PII processor should provide the information necessary to allow the cloud service customer to ensure that PII processed under a contract is erased (by the public cloud PII processor and any of its sub-contractors) from wherever they are stored, including for the purposes of backup and business continuity, as soon as they are no longer necessary for the specific purposes of the cloud service customer. The nature of the disposition mechanisms (de-linking, overwriting, demagnetization, destruction or other forms of erasure) and/or the applicable commercial standards should be provided for contractually. § A.9.3 ¶ 5 The public cloud PII processor should develop and implement a policy in respect of the disposition of PII and should make this policy available to cloud service customer. § A.9.3 ¶ 6 The policy should cover the retention period for PII before its destruction after termination of a contract, to protect the cloud service customer from losing PII through an accidental lapse of the contract. § A.9.3 ¶ 7 A confidentiality agreement, in whatever form, between the public cloud PII processor, its employees and its agents should ensure that employees and agents do not disclose PII for purposes independent of the instructions of the cloud service customer (see A.2.1). The obligations of the confidentiality agreement should survive termination of any relevant contract. § A.10.1 ¶ 4 The log of data restoration efforts should contain: the person responsible, a description of the restored data, and the data that were restored manually. § A.10.3 ¶ 4 A user profile should be maintained for all users whose access is authorized by the public cloud PII processor. The profile of a user comprises the set of data about that user, including user ID, necessary to implement the technical controls providing authorized access to the information system. § A.10.9 ¶ 4 The controls in this International Standard, together with the controls in ISO/IEC 27002, are intended as a reference catalogue of measures to assist in entering into an information processing contract in respect of PII. The public cloud PII processor should inform a prospective cloud service customer, before entering into a contract, about the aspects of its services material to the protection of PII. § A.10.11 ¶ 5 The public cloud PII processor should be transparent about its capabilities during the process of entering into a contract. However, it is ultimately the cloud service customer’s responsibility to ensure that the measures implemented by the public cloud PII processor meet its obligations. § A.10.11 ¶ 6 The identities of the countries where PII might possibly be stored should be made available to cloud service customers. The identities of the countries arising from the use of sub-contracted PII processing should be included. Where specific contractual agreements apply to the international transfer of data, such as Model Contract Clauses, Binding Corporate Rules or Cross Border Privacy Rules, the agreements and the countries or circumstances in which such agreements apply should also be identified. The public cloud PII processor should inform the cloud service customer in a timely fashion of any intended changes in this regard so that the cloud service customer has the ability to object to such changes or to terminate the contract. § A.11.1 ¶ 4 The objective specified in ISO/IEC 27002:2013, 9.4 applies. § 9.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain local environment security profiles. CC ID 07037 | Establish/Maintain Documentation | Preventive | |
| Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Establish/Maintain Documentation | Preventive | |
| Include security requirements in the local environment security profile. CC ID 15717 | Establish/Maintain Documentation | Preventive | |
| Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Establish/Maintain Documentation | Preventive | |
| Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Establish/Maintain Documentation | Preventive | |
| Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Establish/Maintain Documentation | Preventive | |
| Include facility information for the local environment in the local environment security profile. CC ID 07042 | Establish/Maintain Documentation | Preventive | |
| Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Communicate | Preventive | |
| Update the local environment security profile, as necessary. CC ID 07043 | Establish/Maintain Documentation | Preventive | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and Environmental Protection | Preventive | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 | Records Management | Preventive | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 [PII on media leaving the organization’s premises should be subject to an authorization procedure and should not be accessible to anyone other than authorized personnel (e.g. by encrypting the data concerned). § A.10.4 ¶ 2] | Records Management | Preventive | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Data and Information Management | Preventive | |
| Control access to restricted storage media. CC ID 04889 [Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Data and Information Management | Preventive | |
| Log the transfer of removable storage media. CC ID 12322 [Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Log Management | Preventive | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Establish/Maintain Documentation | Preventive | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 [PII on media leaving the organization’s premises should be subject to an authorization procedure and should not be accessible to anyone other than authorized personnel (e.g. by encrypting the data concerned). § A.10.4 ¶ 2] | Behavior | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Establish/Maintain Documentation | Preventive | |
| Encrypt information stored on mobile devices. CC ID 01422 [{portable computing device} {removable media} Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented. § A.10.5 ¶ 2] | Data and Information Management | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Data and Information Management | Preventive | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. § A.9.3 ¶ 2 The public cloud PII processor should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the PII it processes. The public cloud PII processor should also provide information to the cloud service customer about any capabilities it provides that may assist the cloud service customer in applying its own cryptographic protection. § 10.1.1 ¶ 3 The public cloud PII processor should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the PII it processes. The public cloud PII processor should also provide information to the cloud service customer about any capabilities it provides that may assist the cloud service customer in applying its own cryptographic protection. § 10.1.1 ¶ 3 PII-specific responsibilities in this respect may lie with the cloud service customer. Where the public cloud PII processor explicitly provides backup and restore services to the cloud service customer, the public cloud PII processor should provide clear information to the cloud service customer about the capabilities of the cloud service with respect to backup and restoration of the cloud service customer data. § 12.3.1 ¶ 4] | Establish/Maintain Documentation | Preventive | |
| Document the countries where restricted data may be stored. CC ID 12750 [The public cloud PII processor should specify and document the countries in which PII might possibly be stored. § A.11.1 ¶ 2] | Data and Information Management | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [{right to erasure} {right to rectification} The public cloud PII processor should provide the cloud service customer with the means to enable them to fulfil their obligation to facilitate the exercise of PII principals’ rights to access, correct and/or erase PII pertaining to them. § A.1.1 ¶ 2] | Data and Information Management | Preventive | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Business Processes | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Business Processes | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Process or Activity | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 [{right to erasure} {right to rectification} The public cloud PII processor should provide the cloud service customer with the means to enable them to fulfil their obligation to facilitate the exercise of PII principals’ rights to access, correct and/or erase PII pertaining to them. § A.1.1 ¶ 2] | Process or Activity | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Data and Information Management | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Establish/Maintain Documentation | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 [{disclosure accounting record} {disclosure recipient} {disclosure date} Disclosures of PII to third parties should be recorded, including what PII has been disclosed, to whom and at what time. § A.5.2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [{disclosure accounting record} {disclosure recipient} {disclosure date} Disclosures of PII to third parties should be recorded, including what PII has been disclosed, to whom and at what time. § A.5.2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [{technical measures} Contracts between the cloud service customer and the public cloud PII processor should specify minimum technical and organizational measures to ensure that the contracted security arrangements are in place and that data are not processed for any purpose independent of the instructions of the controller. Such measures should not be subject to unilateral reduction by the public cloud PII processor. § A.10.11 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Establish/Maintain Documentation | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{technical measures} {information security obligations} Contracts between the public cloud PII processor and any sub-contractors that process PII should specify minimum technical and organizational measures that meet the information security and PII protection obligations of the public cloud PII processor. Such measures should not be subject to unilateral reduction by the sub-contractor. § A.10.12 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Establish/Maintain Documentation | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Establish/Maintain Documentation | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Establish/Maintain Documentation | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Establish/Maintain Documentation | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Establish/Maintain Documentation | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Human Resources Management | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Establish/Maintain Documentation | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 [The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. § A.9.3 ¶ 2 The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. § A.9.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Establish/Maintain Documentation | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 [The creation of hardcopy material displaying PII should be restricted. § A.10.2 ¶ 2] | Data and Information Management | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Data and Information Management | Preventive | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Behavior | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [PII processed under a contract should not be used by the public cloud PII processor for the purposes of marketing and advertising without express consent. Such consent should not be a condition of receiving the service. § A.2.2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{right to erasure} {right to rectification} The public cloud PII processor should provide the cloud service customer with the means to enable them to fulfil their obligation to facilitate the exercise of PII principals’ rights to access, correct and/or erase PII pertaining to them. § A.1.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
| Refrain from processing restricted data, as necessary. CC ID 12551 [PII to be processed under a contract should not be processed for any purpose independent of the instructions of the cloud service customer. § A.2.1 ¶ 2] | Records Management | Preventive | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Process or Activity | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Process or Activity | Preventive | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Business Processes | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Process or Activity | Detective | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Process or Activity | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Process or Activity | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Data and Information Management | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Data and Information Management | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Business Processes | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Business Processes | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Business Processes | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Business Processes | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Business Processes | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Business Processes | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Business Processes | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Process or Activity | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Establish/Maintain Documentation | Preventive | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Data and Information Management | Preventive | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 [The contract between the public cloud PII processor and the cloud service customer should require the public cloud PII processor to notify the cloud service customer, in accordance with any procedure and time periods agreed in the contract, of any legally binding request for disclosure of PII by a law enforcement authority, unless such a disclosure is otherwise prohibited. § A.5.1 ¶ 2] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Establish/Maintain Documentation | Preventive | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 [The use of sub-contractors by the public cloud PII processor to process PII should be disclosed to the relevant cloud service customers before their use. § A.7.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [Individuals under the public cloud PII processor’s control with access to PII should be subject to a confidentiality obligation. § A.10.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 [{disclosure accounting record} {disclosure recipient} {disclosure date} Disclosures of PII to third parties should be recorded, including what PII has been disclosed, to whom and at what time. § A.5.2 ¶ 2] | Log Management | Preventive | |
| Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Technical Security | Preventive | |
| Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
| Limit data leakage. CC ID 00356 | Data and Information Management | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
| Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Process or Activity | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
| Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Establish/Maintain Documentation | Preventive | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 [The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. § A.9.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Communicate | Preventive | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 | Data and Information Management | Preventive | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Data and Information Management | Preventive | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Data and Information Management | Preventive | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Data and Information Management | Preventive | |
| Refrain from transferring past the first transfer. CC ID 00347 | Data and Information Management | Preventive | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Establish/Maintain Documentation | Preventive | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Data and Information Management | Preventive | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Records Management | Preventive | |
| Follow the instructions of the data transferrer. CC ID 00334 | Behavior | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Establish/Maintain Documentation | Preventive | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Data and Information Management | Preventive | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Data and Information Management | Preventive | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Data and Information Management | Preventive | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Data and Information Management | Preventive | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Data and Information Management | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Data and Information Management | Preventive | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Data and Information Management | Preventive | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Data and Information Management | Preventive | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Data and Information Management | Preventive | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Data and Information Management | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Data and Information Management | Preventive | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Data and Information Management | Preventive | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Business Processes | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Establish/Maintain Documentation | Preventive | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Data and Information Management | Preventive | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Data and Information Management | Preventive | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Data and Information Management | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Data and Information Management | Preventive | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Data and Information Management | Preventive | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Data and Information Management | Preventive | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Data and Information Management | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Data and Information Management | Preventive | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Communicate | Preventive | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Behavior | Preventive | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [Temporary files and documents should be erased or destroyed within a specified, documented period. § A.4.1 ¶ 2] | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 | Records Management | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Process or Activity | Preventive | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 | Establish/Maintain Documentation | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records Management | Preventive | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 [Where hardcopy materials are destroyed, they should be destroyed securely using mechanisms such as cross-cutting, shredding, incinerating, pulping, etc. § A.10.7 ¶ 2] | Physical and Environmental Protection | Preventive | |
| Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 [A procedure, preferably automatic, should be put in place to ensure that logged information is deleted within a specified and documented period. § 12.4.2 ¶ 4] | Data and Information Management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Establish/Maintain Documentation | Preventive | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 [Copies of security policies and operating procedures should be retained for a specified, documented period upon replacement (including updating). § A.9.2 ¶ 2 Copies of security policies and operating procedures should be retained for a specified, documented period upon replacement (including updating). § A.9.2 ¶ 2] | Records Management | Preventive | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records Management | Preventive | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Technical Security | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records Management | Preventive | |
| Provide encryption for different types of electronic storage media. CC ID 00945 [{portable computing device} {removable media} Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented. § A.10.5 ¶ 2] | Technical Security | Preventive | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 | Log Management | Preventive | |
| Include the date and time in the removable storage media log. CC ID 12318 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include the sender's name in the removable storage media log. CC ID 12752 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
System hardening through configuration management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
| Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | Configuration | Preventive | |
| Configure user accounts. CC ID 07036 | Configuration | Preventive | |
| Remove unnecessary default accounts. CC ID 01539 | Configuration | Preventive | |
| Disable all unnecessary user identifiers. CC ID 02185 [De-activated or expired user IDs should not be granted to other individuals. § A.10.10 ¶ 2] | Configuration | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | Configuration | Preventive | |
| Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331 | Configuration | Preventive | |
| Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890 [Where possible, event logs should record whether or not PII has been changed (added, modified or deleted) as a result of an event and by whom. Where multiple service providers are involved in providing service from different service categories of the cloud computing reference architecture, there may be varied or shared roles in implementing this guidance. § 12.4.1 ¶ 4] | Log Management | Detective | |
| Configure the log to capture the information referent when personal data is being accessed. CC ID 11968 | Log Management | Detective | |
Systems design, build, and implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain project management standards. CC ID 00992 | Establish/Maintain Documentation | Preventive | |
| Perform a risk assessment for each system development project. CC ID 01000 [{technical measures} Where the use of PII for testing purposes cannot be avoided a risk assessment should be undertaken. Technical and organizational measures should be implemented to minimize the risks identified. § 12.1.4 ¶ 3] | Testing | Detective | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [Procedures for user registration and de-registration should address the situation where user access control is compromised, such as the corruption or compromise of passwords or other user registration data (e.g. as a result of inadvertent disclosure). § 9.2.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical Security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Establish/Maintain Documentation | Preventive | |
| Identify information system users. CC ID 12081 | Technical Security | Detective | |
| Review user accounts. CC ID 00525 | Technical Security | Detective | |
| Match user accounts to authorized parties. CC ID 12126 | Configuration | Detective | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical Security | Detective | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Data and Information Management | Preventive | |
| Review shared accounts. CC ID 11840 | Technical Security | Detective | |
| Control access rights to organizational assets. CC ID 00004 | Technical Security | Preventive | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Configuration | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Establish/Maintain Documentation | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical Security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Configuration | Detective | |
| Define roles for information systems. CC ID 12454 | Human Resources Management | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Human Resources Management | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical Security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical Security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 | Technical Security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical Security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical Security | Preventive | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Configuration | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical Security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical Security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Configuration | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Configuration | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical Security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Configuration | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Configuration | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Configuration | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Configuration | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 [In the context of the service categories of the cloud computing reference architecture, the cloud service customer may be responsible for some or all aspects of access management for cloud service users under its control. Where appropriate, the public cloud PII processor should enable the cloud service customer to manage access by cloud service users under the cloud service customer’s control, such as by providing administrative rights to manage or terminate access. § 9.2 ¶ 3] | Configuration | Preventive | |
| Include all system components in the access control system. CC ID 11939 | Technical Security | Preventive | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Process or Activity | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical Security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical Security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Establish/Maintain Documentation | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 | Technical Security | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 | Data and Information Management | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical Security | Preventive | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Testing | Detective | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical Security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Establish/Maintain Documentation | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Establish/Maintain Documentation | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical Security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Configuration | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Establish/Maintain Documentation | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical Security | Preventive | |
| Control user privileges. CC ID 11665 | Technical Security | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 | Technical Security | Preventive | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Behavior | Corrective | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Configuration | Preventive | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Behavior | Corrective | |
| Change authenticators after personnel status changes. CC ID 12284 | Human Resources Management | Preventive | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical Security | Preventive | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Establish/Maintain Documentation | Preventive | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical Security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical Security | Preventive | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Establish/Maintain Documentation | Preventive | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical Security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 | Technical Security | Preventive | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Human Resources Management | Preventive | |
| Automate access control methods, as necessary. CC ID 11838 | Technical Security | Preventive | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical Security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical Security | Preventive | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical Security | Preventive | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Communicate | Detective | |
| Remove inactive user accounts, as necessary. CC ID 00517 | Technical Security | Corrective | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical Security | Corrective | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Establish/Maintain Documentation | Preventive | |
| Enforce the password policy. CC ID 16347 | Technical Security | Preventive | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Establish/Maintain Documentation | Preventive | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Configuration | Preventive | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical Security | Preventive | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 | Technical Security | Preventive | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical Security | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Establish/Maintain Documentation | Preventive | |
| Document the business need justification for authentication data storage. CC ID 06325 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 [Where required, the public cloud PII processor should provide secure log-on procedures for any accounts requested by the cloud service customer for cloud service users under its control. § 9.4.2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical Security | Corrective | |
| Grant access to authorized personnel or systems. CC ID 12186 | Configuration | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Communicate | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Establish/Maintain Documentation | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Establish/Maintain Documentation | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Data and Information Management | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Communicate | Corrective | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical Security | Preventive | |
| Employ unique identifiers. CC ID 01273 [If more than one individual has access to stored PII, then they should each have a distinct user ID for identification, authentication and authorization purposes. § A.10.8 ¶ 2] | Testing | Detective | |
| Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 [PII transmitted using a data-transmission network should be subject to appropriate controls designed to ensure that data reaches its intended destination. § A.11.2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Restrict traffic or information flow based on the node type. CC ID 16396 | Technical Security | Preventive | |
| Restrict traffic or information flow based on the destination address. CC ID 16378 | Technical Security | Preventive | |
| Restrict traffic or information flow based on the origination address. CC ID 16484 | Technical Security | Preventive | |
| Assign appropriate roles for enabling or disabling information flow controls. CC ID 06760 | Establish Roles | Preventive | |
| Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 | Testing | Preventive | |
| Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 | Establish/Maintain Documentation | Preventive | |
| Monitor and report on the organization's interconnectivity risk. CC ID 13172 | Monitor and Evaluate Occurrences | Detective | |
| Configure network flow monitoring to organizational standards. CC ID 16364 | Configuration | Preventive | |
| Perform content filtering scans on network traffic. CC ID 06761 | Monitor and Evaluate Occurrences | Detective | |
| Develop and implement a content filtering word and phrase library. CC ID 07071 | Establish/Maintain Documentation | Preventive | |
| Use content filtering scans to identify information flows by data type specification. CC ID 06762 | Technical Security | Preventive | |
| Use content filtering scans to identify information flows by data type usage. CC ID 11818 | Technical Security | Preventive | |
| Take appropriate action to address information flow anomalies. CC ID 12164 | Investigate | Corrective | |
| Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163 | Investigate | Detective | |
| Prevent encrypted data from bypassing content filtering mechanisms. CC ID 06758 | Technical Security | Preventive | |
| Perform content filtering scans on incoming and outgoing e-mail. CC ID 06733 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists. CC ID 12128 | Technical Security | Preventive | |
| Establish, implement, and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information. CC ID 06734 | Data and Information Management | Detective | |
| Constrain the information flow of restricted data or restricted information. CC ID 06763 | Data and Information Management | Preventive | |
| Quarantine data that fails security tests. CC ID 16500 | Data and Information Management | Corrective | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 | Data and Information Management | Preventive | |
| Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 | Data and Information Management | Preventive | |
| Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 | Data and Information Management | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical Security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [{public network} PII that is transmitted over public data-transmission networks should be encrypted prior to transmission. § A.10.6 ¶ 2] | Technical Security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Configuration | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical Security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical Security | Preventive | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Establish/Maintain Documentation | Preventive | |
| Implement non-repudiation for transactions. CC ID 00567 | Testing | Detective | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical Security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical Security | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [The information security policies should be augmented by a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and the contractual terms agreed between the public cloud PII processor and its clients (cloud service customers). § 5.1.1 ¶ 3] | Process or Activity | Detective | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Establish/Maintain Documentation | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Establish/Maintain Documentation | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Establish/Maintain Documentation | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Establish/Maintain Documentation | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Establish/Maintain Documentation | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Establish/Maintain Documentation | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [Contractual agreements should clearly allocate responsibilities between the public cloud PII processor, its sub-contractors and the cloud service customer, taking into account the type of cloud service in question (e.g. a service of an IaaS, PaaS or SaaS category of the cloud computing reference architecture). For example, the allocation of responsibility for application layer controls may differ depending on whether the public cloud PII processor is providing a SaaS service or rather is providing a PaaS or IaaS service upon which the cloud service customer can build or layer its own applications. § 5.1.1 ¶ 4] | Business Processes | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Establish/Maintain Documentation | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Establish/Maintain Documentation | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Establish/Maintain Documentation | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Establish/Maintain Documentation | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Establish/Maintain Documentation | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Establish/Maintain Documentation | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 [The public cloud PII processor should designate a point of contact for use by the cloud service customer regarding the processing of PII under the contract. § 6.1.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Establish/Maintain Documentation | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Establish/Maintain Documentation | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Establish/Maintain Documentation | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Establish/Maintain Documentation | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Establish/Maintain Documentation | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Establish/Maintain Documentation | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Establish/Maintain Documentation | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Establish/Maintain Documentation | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Establish/Maintain Documentation | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Establish/Maintain Documentation | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Establish/Maintain Documentation | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Establish/Maintain Documentation | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Establish/Maintain Documentation | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Establish/Maintain Documentation | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Establish/Maintain Documentation | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Establish/Maintain Documentation | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Establish/Maintain Documentation | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Establish/Maintain Documentation | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Establish/Maintain Documentation | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Testing | Detective | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Testing | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Testing | Detective | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
| Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Business Processes | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Establish/Maintain Documentation | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 | Establish/Maintain Documentation | Detective | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 [{technical measures} Contracts between the cloud service customer and the public cloud PII processor should specify minimum technical and organizational measures to ensure that the contracted security arrangements are in place and that data are not processed for any purpose independent of the instructions of the controller. Such measures should not be subject to unilateral reduction by the public cloud PII processor. § A.10.11 ¶ 2] | Technical Security | Detective | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Preventive | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Preventive | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Preventive | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [{technical measures} Where the use of PII for testing purposes cannot be avoided a risk assessment should be undertaken. Technical and organizational measures should be implemented to minimize the risks identified. § 12.1.4 ¶ 3] | Audits and risk management | Preventive | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Technical security | Corrective | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Technical security | Corrective | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 [PII on media leaving the organization’s premises should be subject to an authorization procedure and should not be accessible to anyone other than authorized personnel (e.g. by encrypting the data concerned). § A.10.4 ¶ 2] | Physical and environmental protection | Preventive | |
| Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [{training} Measures should be put in place to make relevant staff aware of the possible consequences on the public cloud PII processor (e.g. legal consequences, loss of business and brand or reputational damage), on the staff member (e.g. disciplinary consequences) and on the PII principal (e.g. physical, material and emotional consequences) of breaching privacy or security rules and procedures, especially those addressing the handling of PII. § 7.2.2 ¶ 3] | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [The public cloud PII processor should define criteria regarding if, when and how log information can be made available to or usable by the cloud service customer. These procedures should be made available to the cloud service customer. § 12.4.1 ¶ 5] | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [The public cloud PII processor should promptly notify the relevant cloud service customer in the event of any unauthorized access to PII or unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of PII. § A.9.1 ¶ 2] | Operational management | Corrective | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Detective | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Preventive | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
| Follow the instructions of the data transferrer. CC ID 00334 | Privacy protection for information and data | Preventive | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Privacy protection for information and data | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Manage cloud services. CC ID 13144 | Operational management | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Privacy protection for information and data | Preventive | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [Contractual agreements should clearly allocate responsibilities between the public cloud PII processor, its sub-contractors and the cloud service customer, taking into account the type of cloud service in question (e.g. a service of an IaaS, PaaS or SaaS category of the cloud computing reference architecture). For example, the allocation of responsibility for application layer controls may differ depending on whether the public cloud PII processor is providing a SaaS service or rather is providing a PaaS or IaaS service upon which the cloud service customer can build or layer its own applications. § 5.1.1 ¶ 4] | Third Party and supply chain oversight | Preventive | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Detective | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Preventive | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Corrective | |
| Report changes in the continuity plan to senior management. CC ID 12757 | Operational and Systems Continuity | Corrective | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Preventive | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Preventive | |
| Notify cloud customers of the geographic locations of the cloud service organization and its assets. CC ID 13037 | Operational management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [In cases where individual cloud service customer audits are impractical or may increase risks to security (see 0.1), the public cloud PII processor should make available to prospective cloud service customers, prior to entering into, and for the duration of, a contract, independent evidence that information security is implemented and operated in accordance with the public cloud PII processor’s policies and procedures. A relevant independent audit as selected by the public cloud PII processor should normally be an acceptable method for fulfilling the cloud service customer’s interest in reviewing the public cloud PII processor’s processing operations, provided sufficient transparency is provided. § 18.2.1 ¶ 3] | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Operational management | Preventive | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Privacy protection for information and data | Preventive | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Privacy protection for information and data | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Preventive | |
| Match user accounts to authorized parties. CC ID 12126 | Technical security | Detective | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Detective | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 [In the context of the service categories of the cloud computing reference architecture, the cloud service customer may be responsible for some or all aspects of access management for cloud service users under its control. Where appropriate, the public cloud PII processor should enable the cloud service customer to manage access by cloud service users under the cloud service customer’s control, such as by providing administrative rights to manage or terminate access. § 9.2 ¶ 3] | Technical security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Preventive | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Technical security | Preventive | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Technical security | Preventive | |
| Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Preventive | |
| Configure network flow monitoring to organizational standards. CC ID 16364 | Technical security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Preventive | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Preventive | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Preventive | |
| Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Preventive | |
| Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Operational and Systems Continuity | Preventive | |
| Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | System hardening through configuration management | Preventive | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Preventive | |
| Remove unnecessary default accounts. CC ID 01539 | System hardening through configuration management | Preventive | |
| Disable all unnecessary user identifiers. CC ID 02185 [De-activated or expired user IDs should not be granted to other individuals. § A.10.10 ¶ 2] | System hardening through configuration management | Preventive | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Preventive | |
| Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331 | System hardening through configuration management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Preventive | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Preventive | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Preventive | |
| Establish, implement, and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information. CC ID 06734 | Technical security | Detective | |
| Constrain the information flow of restricted data or restricted information. CC ID 06763 | Technical security | Preventive | |
| Quarantine data that fails security tests. CC ID 16500 | Technical security | Corrective | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 | Technical security | Preventive | |
| Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 | Technical security | Preventive | |
| Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 | Technical security | Preventive | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Preventive | |
| Control access to restricted storage media. CC ID 04889 [Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Physical and environmental protection | Preventive | |
| Encrypt information stored on mobile devices. CC ID 01422 [{portable computing device} {removable media} Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented. § A.10.5 ¶ 2] | Physical and environmental protection | Preventive | |
| Determine which data elements to back up. CC ID 13483 | Operational and Systems Continuity | Detective | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 [Information processing systems based on the cloud computing model introduce additional or alternative mechanisms to off-site backups for protecting against loss of data, ensuring continuity of data processing operations, and providing the ability to restore data processing operations after a disruptive event. Multiple copies of data in physically and/or logically diverse locations (which may be within the information processing system itself) should be created or maintained for the purposes of backup and/or recovery. § 12.3.1 ¶ 3] | Operational and Systems Continuity | Preventive | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Operational and Systems Continuity | Preventive | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
| Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 [A procedure, preferably automatic, should be put in place to ensure that logged information is deleted within a specified and documented period. § 12.4.2 ¶ 4] | Records management | Preventive | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Preventive | |
| Document the countries where restricted data may be stored. CC ID 12750 [The public cloud PII processor should specify and document the countries in which PII might possibly be stored. § A.11.1 ¶ 2] | Privacy protection for information and data | Preventive | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [{right to erasure} {right to rectification} The public cloud PII processor should provide the cloud service customer with the means to enable them to fulfil their obligation to facilitate the exercise of PII principals’ rights to access, correct and/or erase PII pertaining to them. § A.1.1 ¶ 2] | Privacy protection for information and data | Preventive | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Preventive | |
| Display or print the least amount of personal data necessary. CC ID 04643 [The creation of hardcopy material displaying PII should be restricted. § A.10.2 ¶ 2] | Privacy protection for information and data | Preventive | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Preventive | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Privacy protection for information and data | Preventive | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 [The contract between the public cloud PII processor and the cloud service customer should require the public cloud PII processor to notify the cloud service customer, in accordance with any procedure and time periods agreed in the contract, of any legally binding request for disclosure of PII by a law enforcement authority, unless such a disclosure is otherwise prohibited. § A.5.1 ¶ 2] | Privacy protection for information and data | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 | Privacy protection for information and data | Preventive | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Privacy protection for information and data | Preventive | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Privacy protection for information and data | Preventive | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Privacy protection for information and data | Preventive | |
| Refrain from transferring past the first transfer. CC ID 00347 | Privacy protection for information and data | Preventive | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Privacy protection for information and data | Preventive | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Privacy protection for information and data | Preventive | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Preventive | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Privacy protection for information and data | Preventive | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Preventive | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Preventive | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Privacy protection for information and data | Preventive | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Preventive | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Preventive | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Preventive | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Privacy protection for information and data | Preventive | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Privacy protection for information and data | Preventive | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Privacy protection for information and data | Preventive | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Privacy protection for information and data | Preventive | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Privacy protection for information and data | Preventive | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Detective | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
| Assign appropriate roles for enabling or disabling information flow controls. CC ID 06760 | Technical security | Preventive | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Preventive | |
| Include restoration procedures in the continuity plan. CC ID 01169 [Procedures should be put in place to allow for restoration of data processing operations within a specified, documented period after a disruptive event. § 12.3.1 ¶ 6 {data restoration process} There should be a procedure for, and a log of, data restoration efforts. § A.10.3 ¶ 2] | Operational and Systems Continuity | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Corrective | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a log management program. CC ID 00673 [The public cloud PII processor should define criteria regarding if, when and how log information can be made available to or usable by the cloud service customer. These procedures should be made available to the cloud service customer. § 12.4.1 ¶ 5] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 | Audits and risk management | Preventive | |
| Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance. CC ID 12371 [The information security policies should be augmented by a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and the contractual terms agreed between the public cloud PII processor and its clients (cloud service customers). § 5.1.1 ¶ 3] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Detective | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [Procedures for user registration and de-registration should address the situation where user access control is compromised, such as the corruption or compromise of passwords or other user registration data (e.g. as a result of inadvertent disclosure). § 9.2.1 ¶ 3] | Technical security | Preventive | |
| Inventory all user accounts. CC ID 13732 | Technical security | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Preventive | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Technical security | Preventive | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Technical security | Preventive | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Preventive | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Preventive | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Preventive | |
| Document the business need justification for authentication data storage. CC ID 06325 | Technical security | Preventive | |
| Establish, implement, and maintain access control procedures. CC ID 11663 [Where required, the public cloud PII processor should provide secure log-on procedures for any accounts requested by the cloud service customer for cloud service users under its control. § 9.4.2 ¶ 3] | Technical security | Preventive | |
| Document approving and granting access in the access control log. CC ID 06786 | Technical security | Preventive | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Preventive | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Preventive | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Preventive | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 [PII transmitted using a data-transmission network should be subject to appropriate controls designed to ensure that data reaches its intended destination. § A.11.2 ¶ 2] | Technical security | Preventive | |
| Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 | Technical security | Preventive | |
| Develop and implement a content filtering word and phrase library. CC ID 07071 | Technical security | Preventive | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Preventive | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{backup procedures} The back-up and recovery procedures should be reviewed at a specified, documented frequency. § 12.3.1 ¶ 7] | Operational and Systems Continuity | Preventive | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Preventive | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Preventive | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Preventive | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Preventive | |
| Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Preventive | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Preventive | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 | Operational and Systems Continuity | Preventive | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Preventive | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Preventive | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Preventive | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Operational and Systems Continuity | Preventive | |
| Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Corrective | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Preventive | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Operational and Systems Continuity | Preventive | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Preventive | |
| Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 | Operational and Systems Continuity | Preventive | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Preventive | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Preventive | |
| Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Preventive | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Preventive | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Detective | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Operational and Systems Continuity | Preventive | |
| Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Preventive | |
| Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [{portable computing device} {removable media} Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented. § A.10.5 ¶ 2] | Operational management | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 [An up-to-date record of the users or profiles of users who have authorized access to the information system should be maintained. § A.10.9 ¶ 2] | Operational management | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 [Where public disclosure of sub-contractor information is assessed to increase security risk beyond acceptable limits, disclosure should be made under a non-disclosure agreement and/or on the request of the cloud service customer. The cloud service customer should be made aware that the information is available. § A.7.1 ¶ 6] | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Corrective | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Detective | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Preventive | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Preventive | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Preventive | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Corrective | |
| Establish, implement, and maintain a restoration log. CC ID 12745 [{data restoration process} There should be a procedure for, and a log of, data restoration efforts. § A.10.3 ¶ 2] | Operational management | Preventive | |
| Document the organization's local environments. CC ID 06726 [The objective specified in ISO/IEC 27002:2013, 5.1 applies. § 5.1 ¶ 1 Control 5.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 5.1.1 ¶ 1 Control 5.1.2 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 5.1.2 ¶ 1 The objective specified in ISO/IEC 27002:2013, 6.1 applies. § 6.1 ¶ 1 Control 6.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 6.1.1 ¶ 1 Control 6.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 6.1.2 ¶ 1 Control 6.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 6.1.3 ¶ 1 Control 6.1.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 6.1.4 ¶ 1 Control 6.1.5 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 6.1.5 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 6.2 apply. § 6.2 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 7.1 apply. § 7.1 ¶ 1 The objective specified in ISO/IEC 27002:2013, 7.2 applies. § 7.2 ¶ 1 Control 7.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 7.2.1 ¶ 1 Control 7.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 7.2.2 ¶ 1 Control 7.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 7.2.3 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 7.3 apply. § 7.3 ¶ 1 The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 8 apply. § 8 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 9.1 apply. § 9.1 ¶ 1 The objective specified in ISO/IEC 27002:2013, 9.2 applies. The following sector-specific guidance also applies to the implementation of all of the controls under this subclause (9.2). § 9.2 ¶ 1 Control 9.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 9.2.1 ¶ 1 Control 9.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.2 ¶ 1 Control 9.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.3 ¶ 1 Control 9.2.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.4 ¶ 1 Control 9.2.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.5 ¶ 1 Control 9.2.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.6 ¶ 1 The objective specified in ISO/IEC 27002:2013, 9.3 applies. § 9.3 ¶ 1 Control 9.3.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 9.3.1 ¶ 1 Control 9.4.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 9.4.1 ¶ 1 Control 9.4.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 9.4.2 ¶ 1 Control 9.4.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.4.3 ¶ 1 Control 9.4.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.4.4 ¶ 1 Control 9.4.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.4.5 ¶ 1 Control 10.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 10.1.1 ¶ 1 Control 10.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 10.1.2 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 11.1 apply. § 11.1 ¶ 1 The objective specified in ISO/IEC 27002:2013, 11.2 applies. § 11.2 ¶ 1 Control 11.2.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 11.2.1 ¶ 1 Control 11.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 11.2.2 ¶ 1 Control 11.2.3 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 11.2.3 ¶ 1 Control 11.2.4 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 11.2.4 ¶ 1 Control 11.2.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 11.2.5 ¶ 1 Control 11.2.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 11.2.6 ¶ 1 Control 11.2.7 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 11.2.7 ¶ 1 Control 11.2.8 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 11.2.8 ¶ 1 Control 11.2.9 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 11.2.9 ¶ 1 The objective specified in ISO/IEC 27002:2013, 12.1 applies. § 12.1 ¶ 1 Control 12.1.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 12.1.1 ¶ 1 Control 12.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 12.1.2 ¶ 1 Control 12.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 12.1.3 ¶ 1 Control 12.1.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 12.1.4 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.2 apply. § 12.2 ¶ 1 The objective specified in ISO/IEC 27002:2013, 12.3 applies. § 12.3 ¶ 1 Control 12.3.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 12.3.1 ¶ 1 NOTE 1 Individual jurisdictions may impose specific requirements regarding the frequency of backups. Organizations operating in these jurisdictions should ensure that they comply with these requirements. § 12.3.1 ¶ 5 NOTE 2 Individual jurisdictions may impose specific requirements regarding the frequency of reviews of backup and recovery procedures. Organizations operating in these jurisdictions should ensure that they comply with these requirements. § 12.3.1 ¶ 8 The objective specified in ISO/IEC 27002:2013, 12.4 applies. § 12.4 ¶ 1 Control 12.4.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 12.4.1 ¶ 1 Control 12.4.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 12.4.2 ¶ 1 Control 12.4.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 12.4.3 ¶ 1 Control 12.4.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 12.4.4 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.5 apply. § 12.5 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.6 apply. § 12.6 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.7 apply. § 12.7 ¶ 1 The objective specified in ISO/IEC 27002:2013, 13.2 applies. § 13.2 ¶ 1 Control 13.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 13.2.1 ¶ 1 Control 13.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 13.2.2 ¶ 1 Control 13.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 13.2.3 ¶ 1 Control 13.2.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 13.2.4 ¶ 1 The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 14 apply. § 14 ¶ 1 The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 15 apply. § 15 ¶ 1 The objective specified in ISO/IEC 27002:2013, 16.1 applies. The following sector-specific guidance also applies to the implementation of all of the controls under this subclause (16.1). § 16.1 ¶ 1 Control 16.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 16.1.1 ¶ 1 Control 16.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.2 ¶ 1 Control 16.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.3 ¶ 1 Control 16.1.4 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 16.1.4 ¶ 1 Control 16.1.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.5 ¶ 1 Control 16.1.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.6 ¶ 1 Control 16.1.7 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.7 ¶ 1 The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 17 apply. § 17 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 18.1 apply. § 18.1 ¶ 1 The objective specified in ISO/IEC 27002:2013, 18.2 applies. § 18.2 ¶ 1 Control 18.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 18.2.1 ¶ 1 Control 18.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 18.2.2 ¶ 1 Control 18.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 18.2.3 ¶ 1 For the purposes of secure disposal or re-use, equipment containing storage media that may possibly contain PII should be treated as though it does. § 11.2.7 ¶ 3 The use of sub-contractors to store replicated or backup copies of data being processed is covered by the controls in this International Standard applying to sub-contracted PII processing. Where physical media transfers take place this is also covered by controls in this International Standard. § 12.3.1 ¶ 9 The objective specified in, and the contents of, ISO/IEC 27002:2013, 13.1 apply. § 13.1 ¶ 1 In the context of the whole cloud computing reference architecture, there may be shared roles in the management of information security incidents and making improvements. There may be a need for the public cloud PII processor to cooperate with the cloud service customer in implementing the controls in this subclause. § 16.1 ¶ 3 An information security event should not necessarily trigger such a review. An information security event is one that does not result in actual, or the significant probability of, unauthorized access to PII or to any of the public cloud PII processor’s equipment or facilities storing PII, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks and packet sniffing. § 16.1.1 ¶ 4 No additional controls are relevant to this privacy principle. § A.3 ¶ 1 Implementation guidance on PII erasure is provided in A.10.11. § A.4.1 ¶ 4 An example of a possible prohibition on disclosure would be a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation. § A.5.1 ¶ 5 No additional controls are relevant to this privacy principle. § A.6 ¶ 1 No additional controls are relevant to this privacy principle. § A.8 ¶ 1 In some jurisdictions, relevant legislation or regulations may require the public cloud PII processor to directly notify appropriate regulatory authorities (e.g. a PII protection authority) of a data breach involving PII. § A.9.1 ¶ 7 Review of current and historical policies and procedures may be required, e.g. in the cases of customer dispute resolution and investigation by a PII protection authority. A minimum retention period of five years is recommended in the absence of a specific legal or contractual requirement. § A.9.2 ¶ 4 At some point in time, PII may need to be disposed of in some manner. This may involve returning the PII to the cloud service customer, transferring it to another public cloud PII processor or to a PII controller (e.g. as a result of a merger), securely deleting or otherwise destroying it, anonymizing it or archiving it. § A.9.3 ¶ 4 Hardcopy material includes material created by printing. § A.10.2 ¶ 4 In some cases, e.g. the exchange of e-mail, the inherent characteristics of public data-transmission network systems might require that some header or traffic data be exposed for effective transmission. § A.10.6 ¶ 4 Where multiple service providers are involved in providing service from different service categories of the cloud computing reference architecture, there may be varied or shared roles in implementing this guidance. § A.10.6 ¶ 5 In the context of the whole cloud computing reference architecture, the cloud service customer may be responsible for some or all aspects of user ID management for cloud service users under its control. § A.10.10 ¶ 4 Information security and PII protection obligations relevant to the public cloud PII processor may arise directly from applicable law. Where this is not the case, PII protection obligations relevant to the public cloud PII processor should be covered in the contract. § A.10.11 ¶ 4 The use of sub-contractors to store backup copies is covered by this control (see A.7.1). § A.10.12 ¶ 4 Upon deletion by a cloud service user of data held in an information system, performance issues may mean that explicit erasure of those data is impractical. This creates the risk that another user may be able to read the data. Such risk should be avoided by specific technical measures. § A.10.13 ¶ 4 No specific guidance is especially appropriate for dealing with all cases in implementing this control. However, as an example, some cloud infrastructure, platforms or applications will return zeroes if a cloud service user attempts to read storage space which has not been overwritten by that user’s own data. § A.10.13 ¶ 5 The PII controller’s obligations in this respect may be defined by law, by regulations or by contract. These obligations may include matters where the cloud service customer uses the services of the public cloud PII processor for implementation. For example, this could include the correction or deletion of PII in a timely fashion. § A.1.1 ¶ 4 Instructions may be contained in the contract between the public cloud PII processor and the cloud service customer including, e.g. the objective and time frame to be achieved by the service. § A.2.1 ¶ 4 Where the PII controller depends on the public cloud PII processor for information or technical measures to facilitate the exercise of PII principals’ rights, the relevant information or technical measures should be specified in the contract. § A.1.1 ¶ 5 In order to achieve the cloud service customer’s purpose, there may be technical reasons why it is appropriate for a public cloud PII processor to determine the method for processing PII, consistent with the general instructions of the cloud service customer but without the cloud service customer’s express instruction. For example, in order to efficiently utilize network or processing capacity it may be necessary to allocate specific processing resources depending on certain characteristics of the PII principal. In circumstances where the public cloud PII processor’s determination of the processing method involves the collection and use of PII, the public cloud PII processor should adhere to the relevant privacy principles set forth in ISO/IEC 29100. § A.2.1 ¶ 5 The public cloud PII processor should provide the cloud service customer with all relevant information, in a timely fashion, to allow the cloud service customer to ensure the public cloud PII processor’s compliance with purpose specification and limitation principles and ensure that no PII is processed by the public cloud PII processor or any of its sub-contractors for further purposes independent of the instructions of the cloud service customer. § A.2.1 ¶ 6 Information systems may create temporary files in the normal course of their operation. Such files are specific to the system or application, but may include file system roll-back journals and temporary files associated with the updating of databases and the operation of other application software. Temporary files are not needed after the related information processing task has completed but there are circumstances in which they may not be deleted. The length of time for which these files remain in use is not always deterministic but a “garbage collection” procedure should identify the relevant files and determine how long it has been since they were last used. § A.4.1 ¶ 5 PII processing information systems should implement a periodic check that unused temporary files above a specified age are deleted. § A.4.1 ¶ 6 The public cloud PII processor should provide contractual guarantees that it will reject any requests for PII disclosure that are not legally binding, consult the corresponding cloud service customer where legally permissible before making any PII disclosure and accept any contractually agreed requests for PII disclosures that are authorized by the corresponding cloud service customer. § A.5.1 ¶ 4 PII may be disclosed during the course of normal operations. These disclosures should be recorded (see 12.4.1). Any additional disclosures to third parties, such as those arising from lawful investigations or external audits, should also be recorded. The records should include the source of the disclosure and the source of the authority to make the disclosure. § A.5.2 ¶ 4 Provisions for the use of sub-contractors to process PII should be transparent in the contract between the public cloud PII processor and the cloud service customer. The contract should specify that sub-contractors may only be commissioned on the basis of a consent that can generally be given by the cloud service customer at the beginning of the service. The public cloud PII processor should inform the cloud service customer in a timely fashion of any intended changes in this regard so that the cloud service customer has the ability to object to such changes or to terminate the contract. § A.7.1 ¶ 4 Information disclosed should cover the fact that sub-contracting is used and the names of relevant sub-contractors, but not any business-specific details. The information disclosed should also include the countries in which sub-contractors may process data (see A.11.1) and the means by which sub-contractors are obliged to meet or exceed the obligations of the public cloud PII processor (see A.10.12). § A.7.1 ¶ 5 In the event that a data breach involving PII has occurred, a record should be maintained with a description of the incident, the time period, the consequences of the incident, the name of the reporter, to whom the incident was reported, the steps taken to resolve the incident (including the person in charge and the data recovered) and the fact that the incident resulted in loss, disclosure or alteration of PII. § A.9.1 ¶ 5 Provisions covering the notification of a data breach involving PII should form part of the contract between the public cloud PII processor and the cloud service customer. The contract should specify how the public cloud PII processor will provide the information necessary for the cloud service customer to fulfil his obligation to notify relevant authorities. This notification obligation does not extend to a data breach caused by the cloud service customer or PII principal or within system components for which they are responsible. The contract should also define the maximum delay in notification of a data breach involving PII. § A.9.1 ¶ 4 In the event that a data breach involving PII has occurred, the record should also include a description of the data compromised, if known; and if notifications were performed, the steps taken to notify the cloud service customer and/or regulatory agencies. § A.9.1 ¶ 6 The public cloud PII processor should provide the information necessary to allow the cloud service customer to ensure that PII processed under a contract is erased (by the public cloud PII processor and any of its sub-contractors) from wherever they are stored, including for the purposes of backup and business continuity, as soon as they are no longer necessary for the specific purposes of the cloud service customer. The nature of the disposition mechanisms (de-linking, overwriting, demagnetization, destruction or other forms of erasure) and/or the applicable commercial standards should be provided for contractually. § A.9.3 ¶ 5 The public cloud PII processor should develop and implement a policy in respect of the disposition of PII and should make this policy available to cloud service customer. § A.9.3 ¶ 6 The policy should cover the retention period for PII before its destruction after termination of a contract, to protect the cloud service customer from losing PII through an accidental lapse of the contract. § A.9.3 ¶ 7 A confidentiality agreement, in whatever form, between the public cloud PII processor, its employees and its agents should ensure that employees and agents do not disclose PII for purposes independent of the instructions of the cloud service customer (see A.2.1). The obligations of the confidentiality agreement should survive termination of any relevant contract. § A.10.1 ¶ 4 The log of data restoration efforts should contain: the person responsible, a description of the restored data, and the data that were restored manually. § A.10.3 ¶ 4 A user profile should be maintained for all users whose access is authorized by the public cloud PII processor. The profile of a user comprises the set of data about that user, including user ID, necessary to implement the technical controls providing authorized access to the information system. § A.10.9 ¶ 4 The controls in this International Standard, together with the controls in ISO/IEC 27002, are intended as a reference catalogue of measures to assist in entering into an information processing contract in respect of PII. The public cloud PII processor should inform a prospective cloud service customer, before entering into a contract, about the aspects of its services material to the protection of PII. § A.10.11 ¶ 5 The public cloud PII processor should be transparent about its capabilities during the process of entering into a contract. However, it is ultimately the cloud service customer’s responsibility to ensure that the measures implemented by the public cloud PII processor meet its obligations. § A.10.11 ¶ 6 The identities of the countries where PII might possibly be stored should be made available to cloud service customers. The identities of the countries arising from the use of sub-contracted PII processing should be included. Where specific contractual agreements apply to the international transfer of data, such as Model Contract Clauses, Binding Corporate Rules or Cross Border Privacy Rules, the agreements and the countries or circumstances in which such agreements apply should also be identified. The public cloud PII processor should inform the cloud service customer in a timely fashion of any intended changes in this regard so that the cloud service customer has the ability to object to such changes or to terminate the contract. § A.11.1 ¶ 4 The objective specified in ISO/IEC 27002:2013, 9.4 applies. § 9.4 ¶ 1] | Operational management | Preventive | |
| Establish, implement, and maintain local environment security profiles. CC ID 07037 | Operational management | Preventive | |
| Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Operational management | Preventive | |
| Include security requirements in the local environment security profile. CC ID 15717 | Operational management | Preventive | |
| Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Operational management | Preventive | |
| Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Operational management | Preventive | |
| Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Operational management | Preventive | |
| Include facility information for the local environment in the local environment security profile. CC ID 07042 | Operational management | Preventive | |
| Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Operational management | Preventive | |
| Update the local environment security profile, as necessary. CC ID 07043 | Operational management | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 | Records management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Preventive | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Preventive | |
| Include the date and time in the removable storage media log. CC ID 12318 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Records management | Preventive | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Records management | Preventive | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Records management | Preventive | |
| Include the sender's name in the removable storage media log. CC ID 12752 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Records management | Preventive | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Records management | Preventive | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain project management standards. CC ID 00992 | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. § A.9.3 ¶ 2 The public cloud PII processor should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the PII it processes. The public cloud PII processor should also provide information to the cloud service customer about any capabilities it provides that may assist the cloud service customer in applying its own cryptographic protection. § 10.1.1 ¶ 3 The public cloud PII processor should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the PII it processes. The public cloud PII processor should also provide information to the cloud service customer about any capabilities it provides that may assist the cloud service customer in applying its own cryptographic protection. § 10.1.1 ¶ 3 PII-specific responsibilities in this respect may lie with the cloud service customer. Where the public cloud PII processor explicitly provides backup and restore services to the cloud service customer, the public cloud PII processor should provide clear information to the cloud service customer about the capabilities of the cloud service with respect to backup and restoration of the cloud service customer data. § 12.3.1 ¶ 4] | Privacy protection for information and data | Preventive | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Preventive | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Preventive | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Privacy protection for information and data | Preventive | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 [{disclosure accounting record} {disclosure recipient} {disclosure date} Disclosures of PII to third parties should be recorded, including what PII has been disclosed, to whom and at what time. § A.5.2 ¶ 2] | Privacy protection for information and data | Preventive | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [{disclosure accounting record} {disclosure recipient} {disclosure date} Disclosures of PII to third parties should be recorded, including what PII has been disclosed, to whom and at what time. § A.5.2 ¶ 2] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [{technical measures} Contracts between the cloud service customer and the public cloud PII processor should specify minimum technical and organizational measures to ensure that the contracted security arrangements are in place and that data are not processed for any purpose independent of the instructions of the controller. Such measures should not be subject to unilateral reduction by the public cloud PII processor. § A.10.11 ¶ 2] | Privacy protection for information and data | Preventive | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Preventive | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{technical measures} {information security obligations} Contracts between the public cloud PII processor and any sub-contractors that process PII should specify minimum technical and organizational measures that meet the information security and PII protection obligations of the public cloud PII processor. Such measures should not be subject to unilateral reduction by the sub-contractor. § A.10.12 ¶ 2] | Privacy protection for information and data | Preventive | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Preventive | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Preventive | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Privacy protection for information and data | Preventive | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Preventive | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Preventive | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Preventive | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Preventive | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Preventive | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Preventive | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Preventive | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 [The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. § A.9.3 ¶ 2 The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. § A.9.3 ¶ 2] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Preventive | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [PII processed under a contract should not be used by the public cloud PII processor for the purposes of marketing and advertising without express consent. Such consent should not be a condition of receiving the service. § A.2.2 ¶ 2] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{right to erasure} {right to rectification} The public cloud PII processor should provide the cloud service customer with the means to enable them to fulfil their obligation to facilitate the exercise of PII principals’ rights to access, correct and/or erase PII pertaining to them. § A.1.1 ¶ 2] | Privacy protection for information and data | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Preventive | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 [The use of sub-contractors by the public cloud PII processor to process PII should be disclosed to the relevant cloud service customers before their use. § A.7.1 ¶ 2] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [Individuals under the public cloud PII processor’s control with access to PII should be subject to a confidentiality obligation. § A.10.1 ¶ 2] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Privacy protection for information and data | Preventive | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 [The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. § A.9.3 ¶ 2] | Privacy protection for information and data | Preventive | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Privacy protection for information and data | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Privacy protection for information and data | Preventive | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Preventive | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Preventive | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Preventive | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Preventive | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Preventive | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Preventive | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Preventive | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Preventive | |
| Include points of contact in third party contracts. CC ID 12355 [The public cloud PII processor should designate a point of contact for use by the cloud service customer regarding the processing of PII under the contract. § 6.1.1 ¶ 3] | Third Party and supply chain oversight | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Preventive | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Preventive | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Preventive | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Preventive | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Preventive | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Preventive | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Preventive | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Preventive | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Preventive | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Preventive | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Preventive | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Preventive | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Detective | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Preventive | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Preventive | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Preventive | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Preventive | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Preventive | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Preventive | |
| Request attestation of compliance from third parties. CC ID 12067 | Third Party and supply chain oversight | Detective | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define roles for information systems. CC ID 12454 | Technical security | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Preventive | |
| Change authenticators after personnel status changes. CC ID 12284 | Technical security | Preventive | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Technical security | Preventive | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Operational and Systems Continuity | Preventive | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Preventive | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Corrective | |
| Take appropriate action to address information flow anomalies. CC ID 12164 | Technical security | Corrective | |
| Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163 | Technical security | Detective | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 | Monitoring and measurement | Detective | |
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Log information recorded for purposes such as security monitoring and operational diagnostics may contain PII. Measures, such as controlling access (see 9.2.3), should be put in place to ensure that logged information is only used for its intended purposes. § 12.4.2 ¶ 3] | Monitoring and measurement | Preventive | |
| Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Preventive | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [A process should be put in place to review event logs with a specified, documented periodicity, to identify irregularities and propose remediation efforts. § 12.4.1 ¶ 3] | Monitoring and measurement | Detective | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Corrective | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Detective | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Preventive | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Preventive | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Preventive | |
| Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Preventive | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Preventive | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Preventive | |
| Protect logs from unauthorized activity. CC ID 01345 [Where a cloud service customer is permitted to access log records controlled by the public cloud PII processor, the public cloud PII processor should ensure that the cloud service customer can only access records that relate to that cloud service customer’s activities, and cannot access any log records which relate to the activities of other cloud service customers. § 12.4.1 ¶ 6] | Monitoring and measurement | Preventive | |
| Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Preventive | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Preventive | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Preventive | |
| Log the transfer of removable storage media. CC ID 12322 [Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Physical and environmental protection | Preventive | |
| Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890 [Where possible, event logs should record whether or not PII has been changed (added, modified or deleted) as a result of an event and by whom. Where multiple service providers are involved in providing service from different service categories of the cloud computing reference architecture, there may be varied or shared roles in implementing this guidance. § 12.4.1 ¶ 4] | System hardening through configuration management | Detective | |
| Configure the log to capture the information referent when personal data is being accessed. CC ID 11968 | System hardening through configuration management | Detective | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 | Records management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 [{disclosure accounting record} {disclosure recipient} {disclosure date} Disclosures of PII to third parties should be recorded, including what PII has been disclosed, to whom and at what time. § A.5.2 ¶ 2] | Privacy protection for information and data | Preventive | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
| Monitor and report on the organization's interconnectivity risk. CC ID 13172 | Technical security | Detective | |
| Perform content filtering scans on network traffic. CC ID 06761 | Technical security | Detective | |
| Perform content filtering scans on incoming and outgoing e-mail. CC ID 06733 | Technical security | Detective | |
| Monitor and evaluate business continuity management system performance. CC ID 12410 | Operational and Systems Continuity | Detective | |
| Record business continuity management system performance for posterity. CC ID 12411 | Operational and Systems Continuity | Preventive | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Corrective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Preventive | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Operational and Systems Continuity | Preventive | |
| Protect clients' hosted environments. CC ID 11862 [The public cloud PII processor should ensure that whenever data storage space is assigned to a cloud service customer, any data previously residing on that storage space is not visible to that cloud service customer. § A.10.13 ¶ 2] | Operational management | Preventive | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 [Where hardcopy materials are destroyed, they should be destroyed securely using mechanisms such as cross-cutting, shredding, incinerating, pulping, etc. § A.10.7 ¶ 2] | Records management | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Detective | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Detective | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Preventive | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Preventive | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [Temporary files and documents should be erased or destroyed within a specified, documented period. § A.4.1 ¶ 2] | Records management | Preventive | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Preventive | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Preventive | |
| Provide the data subject with information about the right to erasure. CC ID 12602 [{right to erasure} {right to rectification} The public cloud PII processor should provide the cloud service customer with the means to enable them to fulfil their obligation to facilitate the exercise of PII principals’ rights to access, correct and/or erase PII pertaining to them. § A.1.1 ¶ 2] | Privacy protection for information and data | Preventive | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Preventive | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Detective | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Preventive | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [The information security policies should be augmented by a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and the contractual terms agreed between the public cloud PII processor and its clients (cloud service customers). § 5.1.1 ¶ 3] | Third Party and supply chain oversight | Detective | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 | Physical and environmental protection | Preventive | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 [PII on media leaving the organization’s premises should be subject to an authorization procedure and should not be accessible to anyone other than authorized personnel (e.g. by encrypting the data concerned). § A.10.4 ¶ 2] | Physical and environmental protection | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 | Records management | Preventive | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records management | Preventive | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 [Copies of security policies and operating procedures should be retained for a specified, documented period upon replacement (including updating). § A.9.2 ¶ 2 Copies of security policies and operating procedures should be retained for a specified, documented period upon replacement (including updating). § A.9.2 ¶ 2] | Records management | Preventive | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
| Refrain from processing restricted data, as necessary. CC ID 12551 [PII to be processed under a contract should not be processed for any purpose independent of the instructions of the cloud service customer. § A.2.1 ¶ 2] | Privacy protection for information and data | Preventive | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Privacy protection for information and data | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Preventive | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Operational and Systems Continuity | Corrective | |
| Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Preventive | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Preventive | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Preventive | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Preventive | |
| Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Corrective | |
| Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Preventive | |
| Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Preventive | |
| Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Corrective | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [{backup procedures} The back-up and recovery procedures should be reviewed at a specified, documented frequency. § 12.3.1 ¶ 7 The public cloud PII processor should have a policy which addresses the requirements for backup of information and any further requirements (e.g. contractual and/or legal requirements) for the erasure of PII contained in information held for backup purposes. § 12.3.1 ¶ 10] | Operational and Systems Continuity | Preventive | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 | Operational and Systems Continuity | Preventive | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Operational and Systems Continuity | Detective | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Preventive | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Operational and Systems Continuity | Preventive | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Detective | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Preventive | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Preventive | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Preventive | |
| Identify information system users. CC ID 12081 | Technical security | Detective | |
| Review user accounts. CC ID 00525 | Technical security | Detective | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical security | Detective | |
| Review shared accounts. CC ID 11840 | Technical security | Detective | |
| Control access rights to organizational assets. CC ID 00004 | Technical security | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 | Technical security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Preventive | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Preventive | |
| Include all system components in the access control system. CC ID 11939 | Technical security | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 | Technical security | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Preventive | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Preventive | |
| Control user privileges. CC ID 11665 | Technical security | Preventive | |
| Review all user privileges, as necessary. CC ID 06784 | Technical security | Preventive | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical security | Preventive | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical security | Preventive | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Preventive | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical security | Preventive | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 | Technical security | Preventive | |
| Automate access control methods, as necessary. CC ID 11838 | Technical security | Preventive | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Preventive | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Preventive | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical security | Preventive | |
| Remove inactive user accounts, as necessary. CC ID 00517 | Technical security | Corrective | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical security | Corrective | |
| Enforce the password policy. CC ID 16347 | Technical security | Preventive | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical security | Preventive | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 | Technical security | Preventive | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical security | Preventive | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Corrective | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Preventive | |
| Restrict traffic or information flow based on the node type. CC ID 16396 | Technical security | Preventive | |
| Restrict traffic or information flow based on the destination address. CC ID 16378 | Technical security | Preventive | |
| Restrict traffic or information flow based on the origination address. CC ID 16484 | Technical security | Preventive | |
| Use content filtering scans to identify information flows by data type specification. CC ID 06762 | Technical security | Preventive | |
| Use content filtering scans to identify information flows by data type usage. CC ID 11818 | Technical security | Preventive | |
| Prevent encrypted data from bypassing content filtering mechanisms. CC ID 06758 | Technical security | Preventive | |
| Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists. CC ID 12128 | Technical security | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [{public network} PII that is transmitted over public data-transmission networks should be encrypted prior to transmission. § A.10.6 ¶ 2] | Technical security | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Preventive | |
| Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Preventive | |
| Provide encryption for different types of electronic storage media. CC ID 00945 [{portable computing device} {removable media} Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented. § A.10.5 ¶ 2] | Records management | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Preventive | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 [{technical measures} Contracts between the cloud service customer and the public cloud PII processor should specify minimum technical and organizational measures to ensure that the contracted security arrangements are in place and that data are not processed for any purpose independent of the instructions of the controller. Such measures should not be subject to unilateral reduction by the public cloud PII processor. § A.10.11 ¶ 2] | Third Party and supply chain oversight | Detective | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Preventive | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Detective | |
| Employ unique identifiers. CC ID 01273 [If more than one individual has access to stored PII, then they should each have a distinct user ID for identification, authentication and authorization purposes. § A.10.8 ¶ 2] | Technical security | Detective | |
| Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 | Technical security | Preventive | |
| Implement non-repudiation for transactions. CC ID 00567 | Technical security | Detective | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Detective | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Detective | |
| Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 | Operational and Systems Continuity | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [An information security incident should trigger a review by the public cloud PII processor, as part of its information security incident management process, to determine if a data breach involving PII has taken place (see A.9.1). § 16.1.1 ¶ 3] | Operational management | Corrective | |
| Perform a risk assessment for each system development project. CC ID 01000 [{technical measures} Where the use of PII for testing purposes cannot be avoided a risk assessment should be undertaken. Technical and organizational measures should be implemented to minimize the risks identified. § 12.1.4 ¶ 3] | Systems design, build, and implementation | Detective | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Detective | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Detective | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 | Monitoring and measurement | Establish/Maintain Documentation | |
| Eliminate false positives in event logs and audit logs. CC ID 07047 | Monitoring and measurement | Log Management | |
| Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 | Monitoring and measurement | Investigate | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
| Revoke asset access when a personnel status change occurs or an individual is terminated. CC ID 00516 | Technical security | Behavior | |
| Review and update accounts and access rights when notified of personnel status changes. CC ID 00788 | Technical security | Behavior | |
| Remove inactive user accounts, as necessary. CC ID 00517 | Technical security | Technical Security | |
| Remove temporary user accounts, as necessary. CC ID 11839 | Technical security | Technical Security | |
| Implement out-of-band authentication, as necessary. CC ID 10606 | Technical security | Technical Security | |
| Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123 | Technical security | Communicate | |
| Take appropriate action to address information flow anomalies. CC ID 12164 | Technical security | Investigate | |
| Quarantine data that fails security tests. CC ID 16500 | Technical security | Data and Information Management | |
| Report changes in the continuity plan to senior management. CC ID 12757 | Operational and Systems Continuity | Communicate | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Operational and Systems Continuity | Systems Continuity | |
| Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Systems Continuity | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [An information security incident should trigger a review by the public cloud PII processor, as part of its information security incident management process, to determine if a data breach involving PII has taken place (see A.9.1). § 16.1.1 ¶ 3] | Operational management | Testing | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Monitor and Evaluate Occurrences | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [The public cloud PII processor should promptly notify the relevant cloud service customer in the event of any unauthorized access to PII or unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of PII. § A.9.1 ¶ 2] | Operational management | Behavior | |
| Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Behavior | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Behavior | |
| Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
| Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Behavior | |
| Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Behavior | |
| Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Behavior | |
| Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Behavior | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
| Include incident recovery procedures in the Incident Management program. CC ID 01758 | Operational management | Establish/Maintain Documentation | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
| Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain event logging procedures. CC ID 01335 | Monitoring and measurement | Log Management | |
| Review and update event logs and audit logs, as necessary. CC ID 00596 [A process should be put in place to review event logs with a specified, documented periodicity, to identify irregularities and propose remediation efforts. § 12.4.1 ¶ 3] | Monitoring and measurement | Log Management | |
| Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 | Monitoring and measurement | Log Management | |
| Identify cybersecurity events in event logs and audit logs. CC ID 13206 | Monitoring and measurement | Technical Security | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Process or Activity | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Process or Activity | |
| Identify information system users. CC ID 12081 | Technical security | Technical Security | |
| Review user accounts. CC ID 00525 | Technical security | Technical Security | |
| Match user accounts to authorized parties. CC ID 12126 | Technical security | Configuration | |
| Identify and authenticate processes running on information systems that act on behalf of users. CC ID 12082 | Technical security | Technical Security | |
| Review shared accounts. CC ID 11840 | Technical security | Technical Security | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Configuration | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Testing | |
| Notify interested personnel when user accounts are added or deleted. CC ID 14327 | Technical security | Communicate | |
| Employ unique identifiers. CC ID 01273 [If more than one individual has access to stored PII, then they should each have a distinct user ID for identification, authentication and authorization purposes. § A.10.8 ¶ 2] | Technical security | Testing | |
| Monitor and report on the organization's interconnectivity risk. CC ID 13172 | Technical security | Monitor and Evaluate Occurrences | |
| Perform content filtering scans on network traffic. CC ID 06761 | Technical security | Monitor and Evaluate Occurrences | |
| Document information flow anomalies that do not fit normal traffic patterns. CC ID 12163 | Technical security | Investigate | |
| Perform content filtering scans on incoming and outgoing e-mail. CC ID 06733 | Technical security | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information. CC ID 06734 | Technical security | Data and Information Management | |
| Implement non-repudiation for transactions. CC ID 00567 | Technical security | Testing | |
| Monitor and evaluate business continuity management system performance. CC ID 12410 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Testing | |
| Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
| Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Testing | |
| Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Testing | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Determine which data elements to back up. CC ID 13483 | Operational and Systems Continuity | Data and Information Management | |
| Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 | Operational and Systems Continuity | Testing | |
| Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 | Operational and Systems Continuity | Systems Continuity | |
| Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 | Operational management | Behavior | |
| Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
| Include information required by law in incident response notifications. CC ID 00802 | Operational management | Establish/Maintain Documentation | |
| Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
| Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890 [Where possible, event logs should record whether or not PII has been changed (added, modified or deleted) as a result of an event and by whom. Where multiple service providers are involved in providing service from different service categories of the cloud computing reference architecture, there may be varied or shared roles in implementing this guidance. § 12.4.1 ¶ 4] | System hardening through configuration management | Log Management | |
| Configure the log to capture the information referent when personal data is being accessed. CC ID 11968 | System hardening through configuration management | Log Management | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
| Perform a risk assessment for each system development project. CC ID 01000 [{technical measures} Where the use of PII for testing purposes cannot be avoided a risk assessment should be undertaken. Technical and organizational measures should be implemented to minimize the risks identified. § 12.1.4 ¶ 3] | Systems design, build, and implementation | Testing | |
| Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Process or Activity | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Process or Activity | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [The information security policies should be augmented by a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and the contractual terms agreed between the public cloud PII processor and its clients (cloud service customers). § 5.1.1 ¶ 3] | Third Party and supply chain oversight | Process or Activity | |
| Include a termination provision clause in third party contracts. CC ID 01367 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Testing | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Testing | |
| Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Testing | |
| Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
| Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
| Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Data and Information Management | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Process or Activity | |
| Request attestation of compliance from third parties. CC ID 12067 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 [{technical measures} Contracts between the cloud service customer and the public cloud PII processor should specify minimum technical and organizational measures to ensure that the contracted security arrangements are in place and that data are not processed for any purpose independent of the instructions of the controller. Such measures should not be subject to unilateral reduction by the public cloud PII processor. § A.10.11 ¶ 2] | Third Party and supply chain oversight | Technical Security | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [Log information recorded for purposes such as security monitoring and operational diagnostics may contain PII. Measures, such as controlling access (see 9.2.3), should be put in place to ensure that logged information is only used for its intended purposes. § 12.4.2 ¶ 3] | Monitoring and measurement | Log Management | |
| Protect the event logs from failure. CC ID 06290 | Monitoring and measurement | Log Management | |
| Overwrite the oldest records when audit logging fails. CC ID 14308 | Monitoring and measurement | Data and Information Management | |
| Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 | Monitoring and measurement | Testing | |
| Include identity information of suspects in the suspicious activity report. CC ID 16648 | Monitoring and measurement | Establish/Maintain Documentation | |
| Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 | Monitoring and measurement | Audits and Risk Management | |
| Reproduce the event log if a log failure is captured. CC ID 01426 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a log management program. CC ID 00673 [The public cloud PII processor should define criteria regarding if, when and how log information can be made available to or usable by the cloud service customer. These procedures should be made available to the cloud service customer. § 12.4.1 ¶ 5] | Monitoring and measurement | Establish/Maintain Documentation | |
| Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Technical Security | |
| Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Log Management | |
| Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Technical Security | |
| Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Log Management | |
| Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Systems Continuity | |
| Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Log Management | |
| Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Log Management | |
| Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Log Management | |
| Protect logs from unauthorized activity. CC ID 01345 [Where a cloud service customer is permitted to access log records controlled by the public cloud PII processor, the public cloud PII processor should ensure that the cloud service customer can only access records that relate to that cloud service customer’s activities, and cannot access any log records which relate to the activities of other cloud service customers. § 12.4.1 ¶ 6] | Monitoring and measurement | Log Management | |
| Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Log Management | |
| Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Log Management | |
| Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Configuration | |
| Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Log Management | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Audits and Risk Management | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 | Audits and risk management | Establish/Maintain Documentation | |
| Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance. CC ID 12371 [The information security policies should be augmented by a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and the contractual terms agreed between the public cloud PII processor and its clients (cloud service customers). § 5.1.1 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [{technical measures} Where the use of PII for testing purposes cannot be avoided a risk assessment should be undertaken. Technical and organizational measures should be implemented to minimize the risks identified. § 12.1.4 ¶ 3] | Audits and risk management | Audits and Risk Management | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 [Procedures for user registration and de-registration should address the situation where user access control is compromised, such as the corruption or compromise of passwords or other user registration data (e.g. as a result of inadvertent disclosure). § 9.2.1 ¶ 3] | Technical security | Establish/Maintain Documentation | |
| Implement safeguards to protect access credentials from unauthorized access. CC ID 16433 | Technical security | Technical Security | |
| Inventory all user accounts. CC ID 13732 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain contact information for user accounts, as necessary. CC ID 15418 | Technical security | Data and Information Management | |
| Control access rights to organizational assets. CC ID 00004 | Technical security | Technical Security | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Configuration | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Establish/Maintain Documentation | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Technical Security | |
| Define roles for information systems. CC ID 12454 | Technical security | Human Resources Management | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Human Resources Management | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Technical Security | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Technical Security | |
| Establish access rights based on least privilege. CC ID 01411 | Technical security | Technical Security | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Technical Security | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Technical Security | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Configuration | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Technical Security | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Technical Security | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Configuration | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Configuration | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Technical Security | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Configuration | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Configuration | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Configuration | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Configuration | |
| Enable access control for objects and users on each system. CC ID 04553 [In the context of the service categories of the cloud computing reference architecture, the cloud service customer may be responsible for some or all aspects of access management for cloud service users under its control. Where appropriate, the public cloud PII processor should enable the cloud service customer to manage access by cloud service users under the cloud service customer’s control, such as by providing administrative rights to manage or terminate access. § 9.2 ¶ 3] | Technical security | Configuration | |
| Include all system components in the access control system. CC ID 11939 | Technical security | Technical Security | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Process or Activity | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Technical Security | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Technical Security | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Establish/Maintain Documentation | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
| Enforce access restrictions for change control. CC ID 01428 | Technical security | Technical Security | |
| Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Data and Information Management | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Technical Security | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Technical Security | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Establish/Maintain Documentation | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Establish/Maintain Documentation | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Technical Security | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Configuration | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Establish/Maintain Documentation | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Technical Security | |
| Control user privileges. CC ID 11665 | Technical security | Technical Security | |
| Review all user privileges, as necessary. CC ID 06784 | Technical security | Technical Security | |
| Encrypt files and move them to a secure file server when a user account is disabled. CC ID 07065 | Technical security | Configuration | |
| Change authenticators after personnel status changes. CC ID 12284 | Technical security | Human Resources Management | |
| Review each user's access capabilities when their role changes. CC ID 00524 | Technical security | Technical Security | |
| Establish and maintain a Digital Rights Management program. CC ID 07093 | Technical security | Establish/Maintain Documentation | |
| Enable products restricted by Digital Rights Management to be used while offline. CC ID 07094 | Technical security | Technical Security | |
| Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Technical Security | |
| Establish, implement, and maintain an authority for access authorization list. CC ID 06782 | Technical security | Establish/Maintain Documentation | |
| Review and approve logical access to all assets based upon organizational policies. CC ID 06641 | Technical security | Technical Security | |
| Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515 | Technical security | Technical Security | |
| Assign roles and responsibilities for administering user account management. CC ID 11900 | Technical security | Human Resources Management | |
| Automate access control methods, as necessary. CC ID 11838 | Technical security | Technical Security | |
| Automate Access Control Systems, as necessary. CC ID 06854 | Technical security | Technical Security | |
| Refrain from storing logon credentials for third party applications. CC ID 13690 | Technical security | Technical Security | |
| Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048 | Technical security | Technical Security | |
| Establish, implement, and maintain a password policy. CC ID 16346 | Technical security | Establish/Maintain Documentation | |
| Enforce the password policy. CC ID 16347 | Technical security | Technical Security | |
| Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518 | Technical security | Establish/Maintain Documentation | |
| Limit superuser accounts to designated System Administrators. CC ID 06766 | Technical security | Configuration | |
| Enforce usage restrictions for superuser accounts. CC ID 07064 | Technical security | Technical Security | |
| Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 | Technical security | Technical Security | |
| Protect and manage biometric systems and biometric data. CC ID 01261 | Technical security | Technical Security | |
| Establish, implement, and maintain biometric collection procedures. CC ID 15419 | Technical security | Establish/Maintain Documentation | |
| Document the business need justification for authentication data storage. CC ID 06325 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain access control procedures. CC ID 11663 [Where required, the public cloud PII processor should provide secure log-on procedures for any accounts requested by the cloud service customer for cloud service users under its control. § 9.4.2 ¶ 3] | Technical security | Establish/Maintain Documentation | |
| Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Configuration | |
| Document approving and granting access in the access control log. CC ID 06786 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Communicate | |
| Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171 | Technical security | Establish/Maintain Documentation | |
| Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406 | Technical security | Establish/Maintain Documentation | |
| Include the date and time that access was reviewed in the system record. CC ID 16416 | Technical security | Data and Information Management | |
| Include the date and time that access rights were changed in the system record. CC ID 16415 | Technical security | Establish/Maintain Documentation | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Technical Security | |
| Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 [PII transmitted using a data-transmission network should be subject to appropriate controls designed to ensure that data reaches its intended destination. § A.11.2 ¶ 2] | Technical security | Establish/Maintain Documentation | |
| Restrict traffic or information flow based on the node type. CC ID 16396 | Technical security | Technical Security | |
| Restrict traffic or information flow based on the destination address. CC ID 16378 | Technical security | Technical Security | |
| Restrict traffic or information flow based on the origination address. CC ID 16484 | Technical security | Technical Security | |
| Assign appropriate roles for enabling or disabling information flow controls. CC ID 06760 | Technical security | Establish Roles | |
| Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 | Technical security | Testing | |
| Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 | Technical security | Establish/Maintain Documentation | |
| Configure network flow monitoring to organizational standards. CC ID 16364 | Technical security | Configuration | |
| Develop and implement a content filtering word and phrase library. CC ID 07071 | Technical security | Establish/Maintain Documentation | |
| Use content filtering scans to identify information flows by data type specification. CC ID 06762 | Technical security | Technical Security | |
| Use content filtering scans to identify information flows by data type usage. CC ID 11818 | Technical security | Technical Security | |
| Prevent encrypted data from bypassing content filtering mechanisms. CC ID 06758 | Technical security | Technical Security | |
| Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists. CC ID 12128 | Technical security | Technical Security | |
| Constrain the information flow of restricted data or restricted information. CC ID 06763 | Technical security | Data and Information Management | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 | Technical security | Data and Information Management | |
| Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 | Technical security | Data and Information Management | |
| Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 | Technical security | Data and Information Management | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Technical Security | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [{public network} PII that is transmitted over public data-transmission networks should be encrypted prior to transmission. § A.10.6 ¶ 2] | Technical security | Technical Security | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Configuration | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Technical Security | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Technical Security | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Establish/Maintain Documentation | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Technical Security | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Technical Security | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Physical and Environmental Protection | |
| Control the transiting and internal distribution or external distribution of assets. CC ID 00963 | Physical and environmental protection | Records Management | |
| Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 [PII on media leaving the organization’s premises should be subject to an authorization procedure and should not be accessible to anyone other than authorized personnel (e.g. by encrypting the data concerned). § A.10.4 ¶ 2] | Physical and environmental protection | Records Management | |
| Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Data and Information Management | |
| Control access to restricted storage media. CC ID 04889 [Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Physical and environmental protection | Data and Information Management | |
| Log the transfer of removable storage media. CC ID 12322 [Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Physical and environmental protection | Establish/Maintain Documentation | |
| Require removable storage media be in the custody of an authorized individual. CC ID 12319 [PII on media leaving the organization’s premises should be subject to an authorization procedure and should not be accessible to anyone other than authorized personnel (e.g. by encrypting the data concerned). § A.10.4 ¶ 2] | Physical and environmental protection | Behavior | |
| Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Physical and environmental protection | Establish/Maintain Documentation | |
| Encrypt information stored on mobile devices. CC ID 01422 [{portable computing device} {removable media} Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented. § A.10.5 ¶ 2] | Physical and environmental protection | Data and Information Management | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 [{backup procedures} The back-up and recovery procedures should be reviewed at a specified, documented frequency. § 12.3.1 ¶ 7] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Communicate | |
| Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Systems Continuity | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Systems Continuity | |
| Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Operational and Systems Continuity | Human Resources Management | |
| Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Human Resources Management | |
| Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Systems Continuity | |
| Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Configuration | |
| Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Behavior | |
| Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Technical Security | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Process or Activity | |
| Record business continuity management system performance for posterity. CC ID 12411 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
| Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Process or Activity | |
| Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Establish Roles | |
| Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Communicate | |
| Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Configuration | |
| Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Configuration | |
| Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
| Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Systems Continuity | |
| Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Communicate | |
| Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
| Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Communicate | |
| Include restoration procedures in the continuity plan. CC ID 01169 [Procedures should be put in place to allow for restoration of data processing operations within a specified, documented period after a disruptive event. § 12.3.1 ¶ 6 {data restoration process} There should be a procedure for, and a log of, data restoration efforts. § A.10.3 ¶ 2] | Operational and Systems Continuity | Establish Roles | |
| Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Communicate | |
| Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Systems Continuity | |
| Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258 [{backup procedures} The back-up and recovery procedures should be reviewed at a specified, documented frequency. § 12.3.1 ¶ 7 The public cloud PII processor should have a policy which addresses the requirements for backup of information and any further requirements (e.g. contractual and/or legal requirements) for the erasure of PII contained in information held for backup purposes. § 12.3.1 ¶ 10] | Operational and Systems Continuity | Systems Continuity | |
| Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384 | Operational and Systems Continuity | Systems Continuity | |
| Establish and maintain off-site electronic media storage facilities. CC ID 00957 | Operational and Systems Continuity | Physical and Environmental Protection | |
| Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 | Operational and Systems Continuity | Configuration | |
| Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Store backup media at an off-site electronic media storage facility. CC ID 01332 [Information processing systems based on the cloud computing model introduce additional or alternative mechanisms to off-site backups for protecting against loss of data, ensuring continuity of data processing operations, and providing the ability to restore data processing operations after a disruptive event. Multiple copies of data in physically and/or logically diverse locations (which may be within the information processing system itself) should be created or maintained for the purposes of backup and/or recovery. § 12.3.1 ¶ 3] | Operational and Systems Continuity | Data and Information Management | |
| Transport backup media in lockable electronic media storage containers. CC ID 01264 | Operational and Systems Continuity | Data and Information Management | |
| Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 | Operational and Systems Continuity | Systems Continuity | |
| Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 | Operational and Systems Continuity | Data and Information Management | |
| Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 | Operational and Systems Continuity | Data and Information Management | |
| Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Behavior | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 [{training} Measures should be put in place to make relevant staff aware of the possible consequences on the public cloud PII processor (e.g. legal consequences, loss of business and brand or reputational damage), on the staff member (e.g. disciplinary consequences) and on the PII principal (e.g. physical, material and emotional consequences) of breaching privacy or security rules and procedures, especially those addressing the handling of PII. § 7.2.2 ¶ 3] | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Establish/Maintain Documentation | |
| Manage cloud services. CC ID 13144 | Operational management | Business Processes | |
| Protect clients' hosted environments. CC ID 11862 [The public cloud PII processor should ensure that whenever data storage space is assigned to a cloud service customer, any data previously residing on that storage space is not visible to that cloud service customer. § A.10.13 ¶ 2] | Operational management | Physical and Environmental Protection | |
| Notify cloud customers of the geographic locations of the cloud service organization and its assets. CC ID 13037 | Operational management | Communicate | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [In cases where individual cloud service customer audits are impractical or may increase risks to security (see 0.1), the public cloud PII processor should make available to prospective cloud service customers, prior to entering into, and for the duration of, a contract, independent evidence that information security is implemented and operated in accordance with the public cloud PII processor’s policies and procedures. A relevant independent audit as selected by the public cloud PII processor should normally be an acceptable method for fulfilling the cloud service customer’s interest in reviewing the public cloud PII processor’s processing operations, provided sufficient transparency is provided. § 18.2.1 ¶ 3] | Operational management | Communicate | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [{portable computing device} {removable media} Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented. § A.10.5 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 [An up-to-date record of the users or profiles of users who have authorized access to the information system should be maintained. § A.10.9 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 [Where public disclosure of sub-contractor information is assessed to increase security risk beyond acceptable limits, disclosure should be made under a non-disclosure agreement and/or on the request of the cloud service customer. The cloud service customer should be made aware that the information is available. § A.7.1 ¶ 6] | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [The public cloud PII processor should define criteria regarding if, when and how log information can be made available to or usable by the cloud service customer. These procedures should be made available to the cloud service customer. § 12.4.1 ¶ 5] | Operational management | Behavior | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
| Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Establish/Maintain Documentation | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
| Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
| Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
| Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
| Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
| Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Establish/Maintain Documentation | |
| Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
| Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Establish/Maintain Documentation | |
| Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
| Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
| Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
| Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
| Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
| Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
| Include contact information in incident response notifications. CC ID 04739 | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
| Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Establish/Maintain Documentation | |
| Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
| Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Behavior | |
| Establish, implement, and maintain a restoration log. CC ID 12745 [{data restoration process} There should be a procedure for, and a log of, data restoration efforts. § A.10.3 ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |
| Document the organization's local environments. CC ID 06726 [The objective specified in ISO/IEC 27002:2013, 5.1 applies. § 5.1 ¶ 1 Control 5.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 5.1.1 ¶ 1 Control 5.1.2 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 5.1.2 ¶ 1 The objective specified in ISO/IEC 27002:2013, 6.1 applies. § 6.1 ¶ 1 Control 6.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 6.1.1 ¶ 1 Control 6.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 6.1.2 ¶ 1 Control 6.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 6.1.3 ¶ 1 Control 6.1.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 6.1.4 ¶ 1 Control 6.1.5 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 6.1.5 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 6.2 apply. § 6.2 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 7.1 apply. § 7.1 ¶ 1 The objective specified in ISO/IEC 27002:2013, 7.2 applies. § 7.2 ¶ 1 Control 7.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 7.2.1 ¶ 1 Control 7.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 7.2.2 ¶ 1 Control 7.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 7.2.3 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 7.3 apply. § 7.3 ¶ 1 The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 8 apply. § 8 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 9.1 apply. § 9.1 ¶ 1 The objective specified in ISO/IEC 27002:2013, 9.2 applies. The following sector-specific guidance also applies to the implementation of all of the controls under this subclause (9.2). § 9.2 ¶ 1 Control 9.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 9.2.1 ¶ 1 Control 9.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.2 ¶ 1 Control 9.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.3 ¶ 1 Control 9.2.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.4 ¶ 1 Control 9.2.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.5 ¶ 1 Control 9.2.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.2.6 ¶ 1 The objective specified in ISO/IEC 27002:2013, 9.3 applies. § 9.3 ¶ 1 Control 9.3.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 9.3.1 ¶ 1 Control 9.4.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 9.4.1 ¶ 1 Control 9.4.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 9.4.2 ¶ 1 Control 9.4.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.4.3 ¶ 1 Control 9.4.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.4.4 ¶ 1 Control 9.4.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 9.4.5 ¶ 1 Control 10.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 10.1.1 ¶ 1 Control 10.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 10.1.2 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 11.1 apply. § 11.1 ¶ 1 The objective specified in ISO/IEC 27002:2013, 11.2 applies. § 11.2 ¶ 1 Control 11.2.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 11.2.1 ¶ 1 Control 11.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 11.2.2 ¶ 1 Control 11.2.3 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 11.2.3 ¶ 1 Control 11.2.4 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 11.2.4 ¶ 1 Control 11.2.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 11.2.5 ¶ 1 Control 11.2.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 11.2.6 ¶ 1 Control 11.2.7 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 11.2.7 ¶ 1 Control 11.2.8 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 11.2.8 ¶ 1 Control 11.2.9 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 11.2.9 ¶ 1 The objective specified in ISO/IEC 27002:2013, 12.1 applies. § 12.1 ¶ 1 Control 12.1.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 12.1.1 ¶ 1 Control 12.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 12.1.2 ¶ 1 Control 12.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 12.1.3 ¶ 1 Control 12.1.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 12.1.4 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.2 apply. § 12.2 ¶ 1 The objective specified in ISO/IEC 27002:2013, 12.3 applies. § 12.3 ¶ 1 Control 12.3.1 and the associated implementation guidance specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 12.3.1 ¶ 1 NOTE 1 Individual jurisdictions may impose specific requirements regarding the frequency of backups. Organizations operating in these jurisdictions should ensure that they comply with these requirements. § 12.3.1 ¶ 5 NOTE 2 Individual jurisdictions may impose specific requirements regarding the frequency of reviews of backup and recovery procedures. Organizations operating in these jurisdictions should ensure that they comply with these requirements. § 12.3.1 ¶ 8 The objective specified in ISO/IEC 27002:2013, 12.4 applies. § 12.4 ¶ 1 Control 12.4.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 12.4.1 ¶ 1 Control 12.4.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 12.4.2 ¶ 1 Control 12.4.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 12.4.3 ¶ 1 Control 12.4.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 12.4.4 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.5 apply. § 12.5 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.6 apply. § 12.6 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 12.7 apply. § 12.7 ¶ 1 The objective specified in ISO/IEC 27002:2013, 13.2 applies. § 13.2 ¶ 1 Control 13.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 13.2.1 ¶ 1 Control 13.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 13.2.2 ¶ 1 Control 13.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 13.2.3 ¶ 1 Control 13.2.4 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 13.2.4 ¶ 1 The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 14 apply. § 14 ¶ 1 The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 15 apply. § 15 ¶ 1 The objective specified in ISO/IEC 27002:2013, 16.1 applies. The following sector-specific guidance also applies to the implementation of all of the controls under this subclause (16.1). § 16.1 ¶ 1 Control 16.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 16.1.1 ¶ 1 Control 16.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.2 ¶ 1 Control 16.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.3 ¶ 1 Control 16.1.4 and the associated implementation guidance specified in ISO/IEC 27002 apply. § 16.1.4 ¶ 1 Control 16.1.5 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.5 ¶ 1 Control 16.1.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.6 ¶ 1 Control 16.1.7 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 16.1.7 ¶ 1 The objectives specified in, and the contents of, ISO/IEC 27002:2013, Clause 17 apply. § 17 ¶ 1 The objective specified in, and the contents of, ISO/IEC 27002:2013, 18.1 apply. § 18.1 ¶ 1 The objective specified in ISO/IEC 27002:2013, 18.2 applies. § 18.2 ¶ 1 Control 18.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. The following sector-specific guidance also applies. § 18.2.1 ¶ 1 Control 18.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 18.2.2 ¶ 1 Control 18.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply. § 18.2.3 ¶ 1 For the purposes of secure disposal or re-use, equipment containing storage media that may possibly contain PII should be treated as though it does. § 11.2.7 ¶ 3 The use of sub-contractors to store replicated or backup copies of data being processed is covered by the controls in this International Standard applying to sub-contracted PII processing. Where physical media transfers take place this is also covered by controls in this International Standard. § 12.3.1 ¶ 9 The objective specified in, and the contents of, ISO/IEC 27002:2013, 13.1 apply. § 13.1 ¶ 1 In the context of the whole cloud computing reference architecture, there may be shared roles in the management of information security incidents and making improvements. There may be a need for the public cloud PII processor to cooperate with the cloud service customer in implementing the controls in this subclause. § 16.1 ¶ 3 An information security event should not necessarily trigger such a review. An information security event is one that does not result in actual, or the significant probability of, unauthorized access to PII or to any of the public cloud PII processor’s equipment or facilities storing PII, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks and packet sniffing. § 16.1.1 ¶ 4 No additional controls are relevant to this privacy principle. § A.3 ¶ 1 Implementation guidance on PII erasure is provided in A.10.11. § A.4.1 ¶ 4 An example of a possible prohibition on disclosure would be a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation. § A.5.1 ¶ 5 No additional controls are relevant to this privacy principle. § A.6 ¶ 1 No additional controls are relevant to this privacy principle. § A.8 ¶ 1 In some jurisdictions, relevant legislation or regulations may require the public cloud PII processor to directly notify appropriate regulatory authorities (e.g. a PII protection authority) of a data breach involving PII. § A.9.1 ¶ 7 Review of current and historical policies and procedures may be required, e.g. in the cases of customer dispute resolution and investigation by a PII protection authority. A minimum retention period of five years is recommended in the absence of a specific legal or contractual requirement. § A.9.2 ¶ 4 At some point in time, PII may need to be disposed of in some manner. This may involve returning the PII to the cloud service customer, transferring it to another public cloud PII processor or to a PII controller (e.g. as a result of a merger), securely deleting or otherwise destroying it, anonymizing it or archiving it. § A.9.3 ¶ 4 Hardcopy material includes material created by printing. § A.10.2 ¶ 4 In some cases, e.g. the exchange of e-mail, the inherent characteristics of public data-transmission network systems might require that some header or traffic data be exposed for effective transmission. § A.10.6 ¶ 4 Where multiple service providers are involved in providing service from different service categories of the cloud computing reference architecture, there may be varied or shared roles in implementing this guidance. § A.10.6 ¶ 5 In the context of the whole cloud computing reference architecture, the cloud service customer may be responsible for some or all aspects of user ID management for cloud service users under its control. § A.10.10 ¶ 4 Information security and PII protection obligations relevant to the public cloud PII processor may arise directly from applicable law. Where this is not the case, PII protection obligations relevant to the public cloud PII processor should be covered in the contract. § A.10.11 ¶ 4 The use of sub-contractors to store backup copies is covered by this control (see A.7.1). § A.10.12 ¶ 4 Upon deletion by a cloud service user of data held in an information system, performance issues may mean that explicit erasure of those data is impractical. This creates the risk that another user may be able to read the data. Such risk should be avoided by specific technical measures. § A.10.13 ¶ 4 No specific guidance is especially appropriate for dealing with all cases in implementing this control. However, as an example, some cloud infrastructure, platforms or applications will return zeroes if a cloud service user attempts to read storage space which has not been overwritten by that user’s own data. § A.10.13 ¶ 5 The PII controller’s obligations in this respect may be defined by law, by regulations or by contract. These obligations may include matters where the cloud service customer uses the services of the public cloud PII processor for implementation. For example, this could include the correction or deletion of PII in a timely fashion. § A.1.1 ¶ 4 Instructions may be contained in the contract between the public cloud PII processor and the cloud service customer including, e.g. the objective and time frame to be achieved by the service. § A.2.1 ¶ 4 Where the PII controller depends on the public cloud PII processor for information or technical measures to facilitate the exercise of PII principals’ rights, the relevant information or technical measures should be specified in the contract. § A.1.1 ¶ 5 In order to achieve the cloud service customer’s purpose, there may be technical reasons why it is appropriate for a public cloud PII processor to determine the method for processing PII, consistent with the general instructions of the cloud service customer but without the cloud service customer’s express instruction. For example, in order to efficiently utilize network or processing capacity it may be necessary to allocate specific processing resources depending on certain characteristics of the PII principal. In circumstances where the public cloud PII processor’s determination of the processing method involves the collection and use of PII, the public cloud PII processor should adhere to the relevant privacy principles set forth in ISO/IEC 29100. § A.2.1 ¶ 5 The public cloud PII processor should provide the cloud service customer with all relevant information, in a timely fashion, to allow the cloud service customer to ensure the public cloud PII processor’s compliance with purpose specification and limitation principles and ensure that no PII is processed by the public cloud PII processor or any of its sub-contractors for further purposes independent of the instructions of the cloud service customer. § A.2.1 ¶ 6 Information systems may create temporary files in the normal course of their operation. Such files are specific to the system or application, but may include file system roll-back journals and temporary files associated with the updating of databases and the operation of other application software. Temporary files are not needed after the related information processing task has completed but there are circumstances in which they may not be deleted. The length of time for which these files remain in use is not always deterministic but a “garbage collection” procedure should identify the relevant files and determine how long it has been since they were last used. § A.4.1 ¶ 5 PII processing information systems should implement a periodic check that unused temporary files above a specified age are deleted. § A.4.1 ¶ 6 The public cloud PII processor should provide contractual guarantees that it will reject any requests for PII disclosure that are not legally binding, consult the corresponding cloud service customer where legally permissible before making any PII disclosure and accept any contractually agreed requests for PII disclosures that are authorized by the corresponding cloud service customer. § A.5.1 ¶ 4 PII may be disclosed during the course of normal operations. These disclosures should be recorded (see 12.4.1). Any additional disclosures to third parties, such as those arising from lawful investigations or external audits, should also be recorded. The records should include the source of the disclosure and the source of the authority to make the disclosure. § A.5.2 ¶ 4 Provisions for the use of sub-contractors to process PII should be transparent in the contract between the public cloud PII processor and the cloud service customer. The contract should specify that sub-contractors may only be commissioned on the basis of a consent that can generally be given by the cloud service customer at the beginning of the service. The public cloud PII processor should inform the cloud service customer in a timely fashion of any intended changes in this regard so that the cloud service customer has the ability to object to such changes or to terminate the contract. § A.7.1 ¶ 4 Information disclosed should cover the fact that sub-contracting is used and the names of relevant sub-contractors, but not any business-specific details. The information disclosed should also include the countries in which sub-contractors may process data (see A.11.1) and the means by which sub-contractors are obliged to meet or exceed the obligations of the public cloud PII processor (see A.10.12). § A.7.1 ¶ 5 In the event that a data breach involving PII has occurred, a record should be maintained with a description of the incident, the time period, the consequences of the incident, the name of the reporter, to whom the incident was reported, the steps taken to resolve the incident (including the person in charge and the data recovered) and the fact that the incident resulted in loss, disclosure or alteration of PII. § A.9.1 ¶ 5 Provisions covering the notification of a data breach involving PII should form part of the contract between the public cloud PII processor and the cloud service customer. The contract should specify how the public cloud PII processor will provide the information necessary for the cloud service customer to fulfil his obligation to notify relevant authorities. This notification obligation does not extend to a data breach caused by the cloud service customer or PII principal or within system components for which they are responsible. The contract should also define the maximum delay in notification of a data breach involving PII. § A.9.1 ¶ 4 In the event that a data breach involving PII has occurred, the record should also include a description of the data compromised, if known; and if notifications were performed, the steps taken to notify the cloud service customer and/or regulatory agencies. § A.9.1 ¶ 6 The public cloud PII processor should provide the information necessary to allow the cloud service customer to ensure that PII processed under a contract is erased (by the public cloud PII processor and any of its sub-contractors) from wherever they are stored, including for the purposes of backup and business continuity, as soon as they are no longer necessary for the specific purposes of the cloud service customer. The nature of the disposition mechanisms (de-linking, overwriting, demagnetization, destruction or other forms of erasure) and/or the applicable commercial standards should be provided for contractually. § A.9.3 ¶ 5 The public cloud PII processor should develop and implement a policy in respect of the disposition of PII and should make this policy available to cloud service customer. § A.9.3 ¶ 6 The policy should cover the retention period for PII before its destruction after termination of a contract, to protect the cloud service customer from losing PII through an accidental lapse of the contract. § A.9.3 ¶ 7 A confidentiality agreement, in whatever form, between the public cloud PII processor, its employees and its agents should ensure that employees and agents do not disclose PII for purposes independent of the instructions of the cloud service customer (see A.2.1). The obligations of the confidentiality agreement should survive termination of any relevant contract. § A.10.1 ¶ 4 The log of data restoration efforts should contain: the person responsible, a description of the restored data, and the data that were restored manually. § A.10.3 ¶ 4 A user profile should be maintained for all users whose access is authorized by the public cloud PII processor. The profile of a user comprises the set of data about that user, including user ID, necessary to implement the technical controls providing authorized access to the information system. § A.10.9 ¶ 4 The controls in this International Standard, together with the controls in ISO/IEC 27002, are intended as a reference catalogue of measures to assist in entering into an information processing contract in respect of PII. The public cloud PII processor should inform a prospective cloud service customer, before entering into a contract, about the aspects of its services material to the protection of PII. § A.10.11 ¶ 5 The public cloud PII processor should be transparent about its capabilities during the process of entering into a contract. However, it is ultimately the cloud service customer’s responsibility to ensure that the measures implemented by the public cloud PII processor meet its obligations. § A.10.11 ¶ 6 The identities of the countries where PII might possibly be stored should be made available to cloud service customers. The identities of the countries arising from the use of sub-contracted PII processing should be included. Where specific contractual agreements apply to the international transfer of data, such as Model Contract Clauses, Binding Corporate Rules or Cross Border Privacy Rules, the agreements and the countries or circumstances in which such agreements apply should also be identified. The public cloud PII processor should inform the cloud service customer in a timely fashion of any intended changes in this regard so that the cloud service customer has the ability to object to such changes or to terminate the contract. § A.11.1 ¶ 4 The objective specified in ISO/IEC 27002:2013, 9.4 applies. § 9.4 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain local environment security profiles. CC ID 07037 | Operational management | Establish/Maintain Documentation | |
| Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Operational management | Establish/Maintain Documentation | |
| Include security requirements in the local environment security profile. CC ID 15717 | Operational management | Establish/Maintain Documentation | |
| Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Operational management | Establish/Maintain Documentation | |
| Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Operational management | Establish/Maintain Documentation | |
| Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Operational management | Establish/Maintain Documentation | |
| Include facility information for the local environment in the local environment security profile. CC ID 07042 | Operational management | Establish/Maintain Documentation | |
| Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Operational management | Communicate | |
| Update the local environment security profile, as necessary. CC ID 07043 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the system account settings and the permission settings in accordance with the organizational standards. CC ID 01538 | System hardening through configuration management | Configuration | |
| Configure user accounts. CC ID 07036 | System hardening through configuration management | Configuration | |
| Remove unnecessary default accounts. CC ID 01539 | System hardening through configuration management | Configuration | |
| Disable all unnecessary user identifiers. CC ID 02185 [De-activated or expired user IDs should not be granted to other individuals. § A.10.10 ¶ 2] | System hardening through configuration management | Configuration | |
| Configure Logging settings in accordance with organizational standards. CC ID 07611 | System hardening through configuration management | Configuration | |
| Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 [Temporary files and documents should be erased or destroyed within a specified, documented period. § A.4.1 ¶ 2] | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 | Records management | Records Management | |
| Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Process or Activity | |
| Establish, implement, and maintain records disposition procedures. CC ID 00971 | Records management | Establish/Maintain Documentation | |
| Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 | Records management | Records Management | |
| Destroy printed records so they cannot be reconstructed. CC ID 11779 [Where hardcopy materials are destroyed, they should be destroyed securely using mechanisms such as cross-cutting, shredding, incinerating, pulping, etc. § A.10.7 ¶ 2] | Records management | Physical and Environmental Protection | |
| Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 [A procedure, preferably automatic, should be put in place to ensure that logged information is deleted within a specified and documented period. § 12.4.2 ¶ 4] | Records management | Data and Information Management | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Establish/Maintain Documentation | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 [Copies of security policies and operating procedures should be retained for a specified, documented period upon replacement (including updating). § A.9.2 ¶ 2 Copies of security policies and operating procedures should be retained for a specified, documented period upon replacement (including updating). § A.9.2 ¶ 2] | Records management | Records Management | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Records Management | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Technical Security | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Records Management | |
| Provide encryption for different types of electronic storage media. CC ID 00945 [{portable computing device} {removable media} Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented. § A.10.5 ¶ 2] | Records management | Technical Security | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 | Records management | Log Management | |
| Include the date and time in the removable storage media log. CC ID 12318 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Records management | Establish/Maintain Documentation | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Records management | Establish/Maintain Documentation | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Records management | Establish/Maintain Documentation | |
| Include the sender's name in the removable storage media log. CC ID 12752 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Records management | Establish/Maintain Documentation | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 [{removable storage media log} Whenever physical media are used for information transfer, a system should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers should be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route. § 13.2.1 ¶ 3] | Records management | Establish/Maintain Documentation | |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain project management standards. CC ID 00992 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Data and Information Management | |
| Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. § A.9.3 ¶ 2 The public cloud PII processor should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the PII it processes. The public cloud PII processor should also provide information to the cloud service customer about any capabilities it provides that may assist the cloud service customer in applying its own cryptographic protection. § 10.1.1 ¶ 3 The public cloud PII processor should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the PII it processes. The public cloud PII processor should also provide information to the cloud service customer about any capabilities it provides that may assist the cloud service customer in applying its own cryptographic protection. § 10.1.1 ¶ 3 PII-specific responsibilities in this respect may lie with the cloud service customer. Where the public cloud PII processor explicitly provides backup and restore services to the cloud service customer, the public cloud PII processor should provide clear information to the cloud service customer about the capabilities of the cloud service with respect to backup and restoration of the cloud service customer data. § 12.3.1 ¶ 4] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the countries where restricted data may be stored. CC ID 12750 [The public cloud PII processor should specify and document the countries in which PII might possibly be stored. § A.11.1 ¶ 2] | Privacy protection for information and data | Data and Information Management | |
| Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [{right to erasure} {right to rectification} The public cloud PII processor should provide the cloud service customer with the means to enable them to fulfil their obligation to facilitate the exercise of PII principals’ rights to access, correct and/or erase PII pertaining to them. § A.1.1 ¶ 2] | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Business Processes | |
| Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Business Processes | |
| Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with information about the right to erasure. CC ID 12602 [{right to erasure} {right to rectification} The public cloud PII processor should provide the cloud service customer with the means to enable them to fulfil their obligation to facilitate the exercise of PII principals’ rights to access, correct and/or erase PII pertaining to them. § A.1.1 ¶ 2] | Privacy protection for information and data | Process or Activity | |
| Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Data and Information Management | |
| Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure date in the disclosure accounting record. CC ID 07133 [{disclosure accounting record} {disclosure recipient} {disclosure date} Disclosures of PII to third parties should be recorded, including what PII has been disclosed, to whom and at what time. § A.5.2 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [{disclosure accounting record} {disclosure recipient} {disclosure date} Disclosures of PII to third parties should be recorded, including what PII has been disclosed, to whom and at what time. § A.5.2 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [{technical measures} Contracts between the cloud service customer and the public cloud PII processor should specify minimum technical and organizational measures to ensure that the contracted security arrangements are in place and that data are not processed for any purpose independent of the instructions of the controller. Such measures should not be subject to unilateral reduction by the public cloud PII processor. § A.10.11 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 [{technical measures} {information security obligations} Contracts between the public cloud PII processor and any sub-contractors that process PII should specify minimum technical and organizational measures that meet the information security and PII protection obligations of the public cloud PII processor. Such measures should not be subject to unilateral reduction by the sub-contractor. § A.10.12 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Human Resources Management | |
| Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 [The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. § A.9.3 ¶ 2 The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. § A.9.3 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Display or print the least amount of personal data necessary. CC ID 04643 [The creation of hardcopy material displaying PII should be restricted. § A.10.2 ¶ 2] | Privacy protection for information and data | Data and Information Management | |
| Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Behavior | |
| Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [PII processed under a contract should not be used by the public cloud PII processor for the purposes of marketing and advertising without express consent. Such consent should not be a condition of receiving the service. § A.2.2 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data access procedures. CC ID 00414 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{right to erasure} {right to rectification} The public cloud PII processor should provide the cloud service customer with the means to enable them to fulfil their obligation to facilitate the exercise of PII principals’ rights to access, correct and/or erase PII pertaining to them. § A.1.1 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from processing restricted data, as necessary. CC ID 12551 [PII to be processed under a contract should not be processed for any purpose independent of the instructions of the cloud service customer. § A.2.1 ¶ 2] | Privacy protection for information and data | Records Management | |
| Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Process or Activity | |
| Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Business Processes | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Process or Activity | |
| Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Process or Activity | |
| Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Business Processes | |
| Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Process or Activity | |
| Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Privacy protection for information and data | Data and Information Management | |
| Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 [The contract between the public cloud PII processor and the cloud service customer should require the public cloud PII processor to notify the cloud service customer, in accordance with any procedure and time periods agreed in the contract, of any legally binding request for disclosure of PII by a law enforcement authority, unless such a disclosure is otherwise prohibited. § A.5.1 ¶ 2] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 [The use of sub-contractors by the public cloud PII processor to process PII should be disclosed to the relevant cloud service customers before their use. § A.7.1 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [Individuals under the public cloud PII processor’s control with access to PII should be subject to a confidentiality obligation. § A.10.1 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
| Log the disclosure of personal data. CC ID 06628 [{disclosure accounting record} {disclosure recipient} {disclosure date} Disclosures of PII to third parties should be recorded, including what PII has been disclosed, to whom and at what time. § A.5.2 ¶ 2] | Privacy protection for information and data | Log Management | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Technical Security | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Data and Information Management | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 [The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer. § A.9.3 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 | Privacy protection for information and data | Communicate | |
| Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 | Privacy protection for information and data | Data and Information Management | |
| Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 | Privacy protection for information and data | Data and Information Management | |
| Prohibit the transfer of personal data when security is inadequate. CC ID 00345 | Privacy protection for information and data | Data and Information Management | |
| Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 | Privacy protection for information and data | Data and Information Management | |
| Refrain from transferring past the first transfer. CC ID 00347 | Privacy protection for information and data | Data and Information Management | |
| Document transfer disagreements by the data subject in writing. CC ID 00348 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow the data subject the right to object to the personal data transfer. CC ID 00349 | Privacy protection for information and data | Data and Information Management | |
| Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428 | Privacy protection for information and data | Records Management | |
| Follow the instructions of the data transferrer. CC ID 00334 | Privacy protection for information and data | Behavior | |
| Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Privacy protection for information and data | Data and Information Management | |
| Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Data and Information Management | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Data and Information Management | |
| Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Privacy protection for information and data | Data and Information Management | |
| Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Data and Information Management | |
| Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Data and Information Management | |
| Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 | Privacy protection for information and data | Data and Information Management | |
| Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 | Privacy protection for information and data | Business Processes | |
| Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 | Privacy protection for information and data | Data and Information Management | |
| Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 | Privacy protection for information and data | Data and Information Management | |
| Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 | Privacy protection for information and data | Communicate | |
| Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [Contractual agreements should clearly allocate responsibilities between the public cloud PII processor, its sub-contractors and the cloud service customer, taking into account the type of cloud service in question (e.g. a service of an IaaS, PaaS or SaaS category of the cloud computing reference architecture). For example, the allocation of responsibility for application layer controls may differ depending on whether the public cloud PII processor is providing a SaaS service or rather is providing a PaaS or IaaS service upon which the cloud service customer can build or layer its own applications. § 5.1.1 ¶ 4] | Third Party and supply chain oversight | Business Processes | |
| Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in third party contracts. CC ID 13487 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a reporting structure in third party contracts. CC ID 06532 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include points of contact in third party contracts. CC ID 12355 [The public cloud PII processor should designate a point of contact for use by the cloud service customer regarding the processing of PII under the contract. § 6.1.1 ¶ 3] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text regarding foreign-based third parties in third party contracts. CC ID 06722 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control clauses in third party contracts, as necessary. CC ID 06523 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include change control notification processes in third party contracts. CC ID 06524 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a dispute resolution clause in third party contracts. CC ID 06519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about obtaining adequate insurance in third party contracts. CC ID 06880 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include disclosure requirements in third party contracts. CC ID 08825 | Third Party and supply chain oversight | Business Processes | |
| Include requirements for alternate processing facilities in third party contracts. CC ID 13059 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |