Back

International > US National Institute of Standards and Technology

Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2



AD ID

0003013

AD STATUS

Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2

ORIGINATOR

US National Institute of Standards and Technology

TYPE

International or National Standard

AVAILABILITY

Free

SYNONYMS

NIST SP 800-37r2

Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37

EFFECTIVE

2018-12-01

ADDED

The document as a whole was last reviewed and released on 2019-07-29.

AD ID

0003013

AD STATUS

Free

ORIGINATOR

US National Institute of Standards and Technology

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

NIST SP 800-37r2

Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37

EFFECTIVE

2018-12-01

ADDED

The document as a whole was last reviewed and released on 2019-07-29.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2019 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
64 Mandated Controls - bold    
66 Implied Controls - italic     1449 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
1579 Total
  • Acquisition or sale of facilities, technology, and services
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Acquire products or services. CC ID 11450 Acquisition/Sale of Assets or Services Preventive
    Register new systems with the program office or other applicable stakeholder. CC ID 13986
    [{program offices} Register the system with organizational program or management offices. TASK P-18]
    Business Processes Preventive
  • Audits and risk management
    92
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 Establish Roles Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Establish Roles Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102
    [Select the appropriate assessor or assessment team for the type of control assessment to be conducted. TASK A-1]
    Audits and Risk Management Preventive
    Establish and maintain an audit program. CC ID 00684 Establish/Maintain Documentation Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Audit in scope audit items and compliance documents as defined in the audit scope. CC ID 06730 Audits and Risk Management Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Testing Detective
    Document test plans for auditing in scope controls. CC ID 06985 Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984
    [Develop and implement a system-level strategy for monitoring control effectiveness that is consistent with and supplements the organizational continuous monitoring strategy. TASK S-5]
    Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and Risk Management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and Risk Management Detective
    Implement a corrective action plan in response to the audit report. CC ID 06777 Establish/Maintain Documentation Corrective
    Take appropriate action to correct deficiencies identified in the audit report. CC ID 01177
    [Conduct initial remediation actions on the controls and reassess remediated controls. TASK A-5]
    Testing Detective
    Establish and maintain a risk management program. CC ID 12051 Establish/Maintain Documentation Preventive
    Establish and maintain risk management strategies, as necessary. CC ID 13209
    [Establish a risk management strategy for the organization that includes a determination of risk tolerance. TASK P-2]
    Establish/Maintain Documentation Preventive
    Include off-site storage of supplies in the risk management strategies, as necessary. CC ID 13221 Establish/Maintain Documentation Preventive
    Include the use of alternate service providers in the risk management strategies. CC ID 13217 Establish/Maintain Documentation Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Establish/Maintain Documentation Preventive
    Include off-site storage in organizational risk mitigation strategies. CC ID 13213 Establish/Maintain Documentation Preventive
    Establish and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk assessment program to manage internal threats and external threats. CC ID 00687 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Establish/Maintain Documentation Preventive
    Establish and maintain a threat and risk classification scheme. CC ID 07183 Establish/Maintain Documentation Preventive
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443
    [Categorize the system and document the security categorization results. TASK C-2
    Categorize the system and document the security categorization results. TASK C-2
    Prioritize organizational systems with the same impact level. TASK P-6]
    Audits and Risk Management Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis. TASK P-14]
    Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Establish/Maintain Documentation Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Establish/Maintain Documentation Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481
    [Prepare the assessment reports documenting the findings and recommendations from the control assessments. TASK A-4]
    Establish/Maintain Documentation Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and Risk Management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708
    [{security plan} {privacy plan} {risk assessment report} Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. Task M-4]
    Establish/Maintain Documentation Detective
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and Risk Management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627
    [Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis. TASK P-3
    Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis. TASK P-14]
    Establish/Maintain Documentation Detective
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and Risk Management Preventive
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Establish/Maintain Documentation Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Communicate Preventive
    Conduct external audits of the organization's risk assessment. CC ID 13308 Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
    Conduct external audits of the organization's risk assessment within any mandated timeframes. CC ID 13310 Audits and Risk Management Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and Risk Management Preventive
    Conduct a Business Impact Analysis based on the risk assessment findings in the risk assessment report. CC ID 01147 Audits and Risk Management Detective
    Document organizational risk tolerance in a risk register. CC ID 09961
    [Establish a risk management strategy for the organization that includes a determination of risk tolerance. TASK P-2]
    Establish/Maintain Documentation Preventive
    Update the risk register, as necessary. CC ID 13047 Establish/Maintain Documentation Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Business Processes Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis. TASK P-3
    Determine if the risk from the operation or use of the information system or the provision or use of common controls is acceptable. TASK R-4
    Analyze and determine the risk from the operation or use of the system or the provision of common controls. TASK R-2]
    Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and Risk Management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and Risk Management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and Risk Management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Investigate Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and Risk Management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Actionable Reports or Measurements Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and Risk Management Detective
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 Establish/Maintain Documentation Preventive
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Investigate Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Behavior Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704
    [Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy. Task M-2]
    Establish/Maintain Documentation Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707
    [Select the controls for the system and the environment of operation. TASK S-1
    Tailor the controls selected for the system and the environment of operation. TASK S-2
    Tailor the controls selected for the system and the environment of operation. TASK S-2]
    Audits and Risk Management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Process or Activity Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Process or Activity Detective
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and Risk Management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601 Testing Detective
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and Risk Management Preventive
    Establish and maintain a risk treatment plan. CC ID 11983
    [Identify and implement a preferred course of action in response to the risk determined. TASK R-3]
    Establish/Maintain Documentation Preventive
    Identify the planned actions and controls that address high risk. CC ID 12835 Audits and Risk Management Preventive
    Identify the current actions and controls that address high risk. CC ID 12834 Audits and Risk Management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Establish/Maintain Documentation Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Establish/Maintain Documentation Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Establish/Maintain Documentation Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Establish/Maintain Documentation Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Establish/Maintain Documentation Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Establish/Maintain Documentation Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Establish/Maintain Documentation Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Establish/Maintain Documentation Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Establish/Maintain Documentation Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Establish/Maintain Documentation Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and Risk Management Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in plans of action and milestones. Task M-3
    Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports. TASK A-6]
    Establish/Maintain Documentation Corrective
    Review and approve the risk assessment findings. CC ID 06485 Establish/Maintain Documentation Preventive
    Establish and Maintain a Cybersecurity Risk Management Strategy. CC ID 11991
    [Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles. TASK P-4]
    Establish/Maintain Documentation Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Establish/Maintain Documentation Preventive
    Evaluate the cyber insurance market. CC ID 12695 Business Processes Preventive
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Business Processes Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Business Processes Preventive
  • Human Resources management
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources Management Preventive
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660
    [Identify and assign individuals to specific roles associated with security and privacy risk management. TASK P-1]
    Human Resources Management Preventive
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources Management Preventive
    Establish and maintain a Code of Conduct as a part of the Terms and Conditions of employment. CC ID 04897 Establish/Maintain Documentation Preventive
    Include the organization's mission in the Code of Conduct. CC ID 12875
    [Identify the missions, business functions, and mission/business processes that the system is intended to support. TASK P-8]
    Establish/Maintain Documentation Preventive
  • Leadership and high level objectives
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Analyze organizational objectives, functions, and activities. CC ID 00598 Monitor and Evaluate Occurrences Preventive
    Analyze the business environment in which the organization operates. CC ID 12798 Business Processes Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863
    [{security posture} Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. TASK M-1]
    Monitor and Evaluate Occurrences Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862
    [{security posture} Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. TASK M-1]
    Monitor and Evaluate Occurrences Preventive
    Analyze the external environment in which the organization operates. CC ID 12799 Business Processes Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880
    [{security posture} Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. TASK M-1]
    Monitor and Evaluate Occurrences Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879
    [{security posture} Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. TASK M-1]
    Monitor and Evaluate Occurrences Preventive
    Establish and maintain sustainable infrastructure planning. CC ID 00603
    [Determine the placement of the system within the enterprise architecture. TASK P-16]
    Establish/Maintain Documentation Preventive
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Behavior Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Establish/Maintain Documentation Preventive
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688
    [Identify assets that require protection. TASK P-10]
    Business Processes Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Establish/Maintain Documentation Preventive
  • Monitoring and measurement
    190
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 Establish/Maintain Documentation Preventive
    Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695
    [Determine the authorization boundary of the system. TASK P-11]
    Systems Design, Build, and Implementation Preventive
    Identify processes, Information Systems, and third parties that transmit, process, or store personal data. CC ID 06289 Data and Information Management Preventive
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Establish/Maintain Documentation Preventive
    Categorize all major applications according to the business information they process. CC ID 07182 Establish/Maintain Documentation Preventive
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Establish/Maintain Documentation Preventive
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Establish/Maintain Documentation Preventive
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637
    [Develop and implement an organization-wide strategy for continuously monitoring control effectiveness. TASK P-7]
    Log Management Detective
    Establish, implement, and maintain an audit and accountability policy. CC ID 14035 Establish/Maintain Documentation Preventive
    Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 Log Management Preventive
    Review and approve the use of continuous security management systems. CC ID 13181 Process or Activity Preventive
    Protect continuous security management systems from unauthorized use. CC ID 13097 Configuration Preventive
    Establish and maintain intrusion management operations. CC ID 00580 Monitor and Evaluate Occurrences Preventive
    Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 Configuration Preventive
    Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 Behavior Preventive
    Do not intercept communications of any kind when providing a service to clients. CC ID 09985 Behavior Preventive
    Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 Technical Security Detective
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitor and Evaluate Occurrences Detective
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225 Monitor and Evaluate Occurrences Detective
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitor and Evaluate Occurrences Preventive
    Address operational anomalies within the problem management system. CC ID 00589 Business Processes Detective
    Address operational anomalies within the incident management system. CC ID 11633 Audits and Risk Management Preventive
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitor and Evaluate Occurrences Detective
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Human Resources Management Detective
    Detect unauthorized access to systems. CC ID 06798 Monitor and Evaluate Occurrences Detective
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitor and Evaluate Occurrences Detective
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Audits and Risk Management Preventive
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitor and Evaluate Occurrences Detective
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitor and Evaluate Occurrences Preventive
    Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 Technical Security Preventive
    Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 Technical Security Preventive
    Implement detonation chambers where appropriate. CC ID 10670 Technical Security Preventive
    Assign log management roles and responsibilities. CC ID 06311 Establish Roles Preventive
    Document and communicate the log locations to the owning entity. CC ID 12047 Log Management Preventive
    Make logs available for review by the owning entity. CC ID 12046 Log Management Preventive
    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 Log Management Detective
    Establish and maintain event logging procedures. CC ID 01335 Log Management Detective
    Document the event information to be logged in the event information log specification. CC ID 00639 Configuration Preventive
    Enable logging for all systems that meet a traceability criteria. CC ID 00640 Log Management Detective
    Enable and configure logging on all network access controls. CC ID 01963 Configuration Preventive
    Analyze firewall logs for the correct capturing of data. CC ID 00549 Log Management Detective
    Synchronize system clocks to an accurate and universal time source on all devices that have logging enabled. CC ID 01340 Configuration Preventive
    Centralize network time servers to as few as practical. CC ID 06308 Configuration Preventive
    Disseminate and communicate information to customers about clock synchronization methods used by the organization, as necessary. CC ID 13044 Communicate Preventive
    Define the frequency to capture and log events. CC ID 06313 Log Management Preventive
    Include logging frequencies in the event logging procedures. CC ID 00642 Log Management Preventive
    Review and update the list of auditable events in the event logging procedures. CC ID 10097 Establish/Maintain Documentation Preventive
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 Log Management Preventive
    Protect the event logs from failure. CC ID 06290 Log Management Preventive
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427 Testing Preventive
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Establish/Maintain Documentation Corrective
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 Audits and Risk Management Preventive
    Review event logs, Intrusion Detection System reports, security incident tracking reports, and other security logs regularly. CC ID 00596 Log Management Detective
    Eliminate false positives in event logs, intrusion detection system reports, security incident tracking reports, and other security logs. CC ID 07047 Log Management Corrective
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 Log Management Detective
    Identify cybersecurity events in event logs and audit logs. CC ID 13206 Technical Security Detective
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 Investigate Corrective
    Reproduce the event log if a log failure is captured. CC ID 01426 Log Management Preventive
    Monitor and evaluate system performance. CC ID 00651 Monitor and Evaluate Occurrences Detective
    Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 Communicate Preventive
    Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 Communicate Preventive
    Monitor for and react to when suspicious activities are detected. CC ID 00586 Monitor and Evaluate Occurrences Detective
    Erase payment applications when suspicious activity is confirmed. CC ID 12193 Technical Security Corrective
    Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 Establish/Maintain Documentation Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 Monitor and Evaluate Occurrences Corrective
    Monitor and evaluate the effectiveness of detection tools. CC ID 13505 Investigate Detective
    Monitor and review retail payment activities, as necessary. CC ID 13541 Monitor and Evaluate Occurrences Detective
    Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 Investigate Detective
    Review retail payment service reports, as necessary. CC ID 13545 Investigate Detective
    Assess customer satisfaction. CC ID 00652 Testing Detective
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Log Management Detective
    Establish and maintain a continuous monitoring for Configuration Management program. CC ID 06757 Establish/Maintain Documentation Detective
    Establish and maintain an automated configuration monitoring system, as necessary. CC ID 07058 Monitor and Evaluate Occurrences Detective
    Monitor for and report when a software configuration is updated. CC ID 06746 Monitor and Evaluate Occurrences Detective
    Escalate the report when the software configuration is updated absent authorization. CC ID 04886 Monitor and Evaluate Occurrences Detective
    Monitor for firmware updates absent authorization. CC ID 10675 Monitor and Evaluate Occurrences Detective
    Implement file integrity monitoring. CC ID 01205 Monitor and Evaluate Occurrences Detective
    Identify unauthorized modifications during file integrity monitoring. CC ID 12096 Technical Security Detective
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitor and Evaluate Occurrences Preventive
    Allow expected changes during file integrity monitoring. CC ID 12090 Technical Security Preventive
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitor and Evaluate Occurrences Preventive
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Establish/Maintain Documentation Preventive
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 Process or Activity Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Behavior Preventive
    Monitor and evaluate user account activity. CC ID 07066 Monitor and Evaluate Occurrences Detective
    Develop and maintain a usage profile for each user account. CC ID 07067 Technical Security Preventive
    Log account usage to determine dormant accounts. CC ID 12118 Log Management Detective
    Log account usage times. CC ID 07099 Log Management Detective
    Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 Monitor and Evaluate Occurrences Detective
    Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 Monitor and Evaluate Occurrences Detective
    Log account usage durations. CC ID 12117 Monitor and Evaluate Occurrences Detective
    Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 Communicate Detective
    Log Internet Protocol addresses used during logon. CC ID 07100 Log Management Detective
    Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 Monitor and Evaluate Occurrences Detective
    Establish and maintain a risk monitoring program. CC ID 00658 Establish/Maintain Documentation Preventive
    Establish and maintain a System Security Plan. CC ID 01922 Testing Preventive
    Create specific test plans to test each system component. CC ID 00661
    [Develop, review, and approve plans to assess implemented controls. TASK A-2]
    Establish/Maintain Documentation Preventive
    Adhere to the System Security Plan. CC ID 11640 Testing Detective
    Review the test plans for each system component. CC ID 00662
    [Develop, review, and approve plans to assess implemented controls. TASK A-2]
    Establish/Maintain Documentation Preventive
    Establish and maintain testing programs, necessary. CC ID 00654 Behavior Preventive
    Implement and comply with the security test program. CC ID 11870
    [Assess the controls in accordance with the assessment procedures described in assessment plans. TASK A-3]
    Testing Detective
    Conduct Red Team exercises, as necessary. CC ID 12131 Technical Security Detective
    Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 Establish/Maintain Documentation Preventive
    Test security systems and associated security procedures, as necessary. CC ID 11901 Technical Security Detective
    Test in scope systems for segregation of duties, as necessary. CC ID 13906 Testing Detective
    Scan organizational networks for rogue devices. CC ID 00536 Testing Detective
    Scan the network for Wireless Access Points. CC ID 00370 Testing Detective
    Document the business need justification for authorized wireless access points. CC ID 12044 Establish/Maintain Documentation Preventive
    Scan wireless networks for rogue devices. CC ID 11623 Technical Security Detective
    Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 Testing Detective
    Implement incident response procedures when rogue devices are discovered. CC ID 11880 Technical Security Corrective
    Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 Monitor and Evaluate Occurrences Corrective
    Deny network access to rogue devices until network access approval has been received. CC ID 11852 Configuration Preventive
    Isolate rogue devices after a rogue device has been detected. CC ID 07061 Configuration Corrective
    Establish and maintain a port scan baseline for all in scope systems. CC ID 12134 Technical Security Detective
    Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a penetration test program. CC ID 01105 Behavior Preventive
    Align the penetration test program with industry standards. CC ID 12469 Establish/Maintain Documentation Preventive
    Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 Establish Roles Preventive
    Establish and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 Testing Preventive
    Retain penetration test results according to internal policy. CC ID 10049 Records Management Preventive
    Retain penetration test remediation action records according to internal policy. CC ID 11629 Records Management Preventive
    Use dedicated user accounts when conducting penetration testing. CC ID 13728 Testing Detective
    Remove dedicated user account after penetration testing is concluded. CC ID 13729 Testing Corrective
    Perform penetration tests, as necessary. CC ID 00655 Testing Detective
    Perform internal penetration tests, as necessary. CC ID 12471 Technical Security Detective
    Perform external penetration tests, as necessary. CC ID 12470 Technical Security Detective
    Include coverage of all in scope systems during penetration testing. CC ID 11957 Testing Detective
    Test the system for broken access controls. CC ID 01319 Testing Detective
    Test the system for broken authentication and session management. CC ID 01320 Testing Detective
    Test the system for insecure communications. CC ID 00535 Testing Detective
    Test the system for cross-site scripting attacks. CC ID 01321 Testing Detective
    Test the system for buffer overflows. CC ID 01322 Testing Detective
    Test the system for injection flaws. CC ID 01323 Testing Detective
    Test the system for Denial of Service. CC ID 01326 Testing Detective
    Test the system for insecure configuration management. CC ID 01327 Testing Detective
    Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 Testing Detective
    Test the system for Cross-Site Request Forgery. CC ID 06296 Testing Detective
    Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 Technical Security Detective
    Perform penetration testing on segmentation controls, as necessary. CC ID 12498 Technical Security Detective
    Verify segmentation controls are operational and effective. CC ID 12545 Audits and Risk Management Detective
    Correct vulnerabilities and repeat penetration testing. CC ID 06860 Testing Detective
    Test the system for covert channels. CC ID 10652 Testing Detective
    Estimate the maximum bandwidth of any covert channels. CC ID 10653 Technical Security Detective
    Reduce the maximum bandwidth of covert channels. CC ID 10655 Technical Security Corrective
    Test systems to determine which covert channels might be exploited. CC ID 10654 Testing Detective
    Establish and maintain a vulnerability assessment program. CC ID 11636 Establish/Maintain Documentation Preventive
    Perform vulnerability scans, as necessary. CC ID 11637 Technical Security Detective
    Correct vulnerabilities and repeat vulnerability scanning. CC ID 11646 Testing Detective
    Identify and document security vulnerabilities. CC ID 11857 Technical Security Detective
    Rank discovered vulnerabilities. CC ID 11940 Investigate Detective
    Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 Technical Security Preventive
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 Technical Security Detective
    Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 Establish/Maintain Documentation Preventive
    Maintain vulnerability scan reports as organizational records. CC ID 12092 Records Management Preventive
    Correlate vulnerability scan reports from the various systems. CC ID 10636 Technical Security Detective
    Update the vulnerability scanners' vulnerability list. CC ID 10634 Configuration Corrective
    Perform internal vulnerability scans on the organization's systems. CC ID 00656 Testing Detective
    Perform vulnerability scans prior to installing payment applications. CC ID 12192 Technical Security Detective
    Repeat vulnerability scanning after an approved change occurs. CC ID 12468 Technical Security Detective
    Perform external vulnerability scans on the organization's systems. CC ID 11624 Technical Security Detective
    Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 Business Processes Preventive
    Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 Testing Preventive
    Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 Technical Security Detective
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 Behavior Corrective
    Perform vulnerability assessments, as necessary. CC ID 11828 Technical Security Corrective
    Review applications for security vulnerabilities after the application is updated. CC ID 11938 Technical Security Detective
    Test the system for unvalidated input. CC ID 01318 Testing Detective
    Test the system for proper error handling. CC ID 01324 Testing Detective
    Test the system for insecure data storage. CC ID 01325 Testing Detective
    Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 Testing Detective
    Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 Technical Security Preventive
    Test the system for insecure cryptographic storage. CC ID 11635 Technical Security Detective
    Perform self-tests on cryptographic modules within the system. CC ID 06537 Testing Detective
    Perform power-up tests on cryptographic modules within the system. CC ID 06538 Testing Detective
    Perform conditional tests on cryptographic modules within the system. CC ID 06539 Testing Detective
    Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 Configuration Detective
    Create a plan of action to correct control deficiencies identified in an audit. CC ID 00675
    [{security plan} {privacy plan} {risk assessment report} Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. Task M-4]
    Monitor and Evaluate Occurrences Detective
    Include the completion date in the plan of action. CC ID 13272 Establish/Maintain Documentation Preventive
    Monitor the activities to correct control deficiencies identified in an audit. CC ID 11645
    [Conduct initial remediation actions on the controls and reassess remediated controls. TASK A-5]
    Monitor and Evaluate Occurrences Detective
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [{security posture} Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy. TASK M-5
    {security posture} Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy. TASK M-5]
    Actionable Reports or Measurements Corrective
    Report known security issues to the Board of Directors or Senior Executive Committee on a regular basis. CC ID 12329
    [Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk. TASK R-5]
    Monitor and Evaluate Occurrences Preventive
  • Operational management
    49
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Establish and maintain an internal control framework. CC ID 00820 Establish/Maintain Documentation Preventive
    Establish and maintain a baseline of internal controls. CC ID 12415
    [Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles. TASK P-4
    {security control inheritance} Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems. TASK P-5]
    Business Processes Preventive
    Establish and maintain an information security program. CC ID 00812 Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374
    [{security plans} Document the controls for the system and environment of operation in security and privacy plans. TASK S-4]
    Establish/Maintain Documentation Preventive
    Include physical security in the information security program. CC ID 12382
    [{security plans} Document the controls for the system and environment of operation in security and privacy plans. TASK S-4]
    Establish/Maintain Documentation Preventive
    Establish and maintain an information security policy. CC ID 11740 Establish/Maintain Documentation Preventive
    Review and update the information security policy, as necessary. CC ID 11741
    [{security plans} Review and approve the security and privacy plans for the system and the environment of operation. TASK S-6
    {security plan} {privacy plan} {risk assessment report} Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. Task M-4]
    Establish/Maintain Documentation Corrective
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Business Processes Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004
    [{are acceptable} {security posture} Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable. Task M-6]
    Business Processes Preventive
    Establish and maintain an Asset Management program. CC ID 06630 Business Processes Preventive
    Establish and apply classification schemes for all systems and assets. CC ID 01902 Establish/Maintain Documentation Preventive
    Apply security controls to each level of the information classification standard. CC ID 01903
    [{security plans} Implement the controls in the security and privacy plans. TASK I-1]
    Systems Design, Build, and Implementation Preventive
    Establish and maintain the systems' confidentiality level. CC ID 01904 Establish/Maintain Documentation Preventive
    Define confidentiality controls. CC ID 01908 Establish/Maintain Documentation Preventive
    Establish and maintain the systems' availability level. CC ID 01905 Establish/Maintain Documentation Preventive
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Process or Activity Preventive
    Define integrity controls. CC ID 01909 Establish/Maintain Documentation Preventive
    Establish and maintain the systems' integrity level. CC ID 01906 Establish/Maintain Documentation Preventive
    Define availability controls. CC ID 01911 Establish/Maintain Documentation Preventive
    Classify assets according to the Asset Classification Policy. CC ID 07186 Establish Roles Preventive
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185
    [Review and approve the security categorization results and decision. TASK C-3]
    Establish/Maintain Documentation Preventive
    Establish and maintain a system redeployment or disposal program. CC ID 06276
    [Implement a system disposal strategy and execute required actions when a system is removed from operation. Task M-7]
    Establish/Maintain Documentation Preventive
    Test systems for malicious code prior to when the system will be redeployed. CC ID 06339 Testing Detective
    Notify organizational unit leaders prior to when the system is redeployed or the system is disposed. CC ID 06400 Behavior Preventive
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Data and Information Management Preventive
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Acquisition/Sale of Assets or Services Preventive
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Establish/Maintain Documentation Preventive
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Establish/Maintain Documentation Preventive
    Dispose of hardware and software at their life cycle end. CC ID 06278
    [Implement a system disposal strategy and execute required actions when a system is removed from operation. Task M-7]
    Business Processes Preventive
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Business Processes Preventive
    Establish and maintain disposal contracts, as necessary. CC ID 12199 Establish/Maintain Documentation Preventive
    Include disposal procedures in disposal contracts. CC ID 13905 Establish/Maintain Documentation Preventive
    Remove asset tags prior to disposal of an asset. CC ID 12198 Business Processes Preventive
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Establish/Maintain Documentation Preventive
    Test for detrimental environmental factors after a system is disposed. CC ID 06938 Testing Detective
    Establish and maintain a customer service program. CC ID 00846 Establish/Maintain Documentation Preventive
    Establish and maintain a customer service business function. CC ID 00847
    [Identify the missions, business functions, and mission/business processes that the system is intended to support. TASK P-8]
    Business Processes Preventive
    Confirm the customer agrees with the resolution process associated with the complaint. CC ID 13630 Communicate Detective
    Document the resolution of issues reported to customer service. CC ID 12918 Establish/Maintain Documentation Preventive
    Establish and maintain a change control program. CC ID 00886 Establish/Maintain Documentation Preventive
    Update associated documentation after the system configuration has been changed. CC ID 00891
    [Document changes to planned control implementations based on the "as-implemented" state of controls. TASK I-2]
    Establish/Maintain Documentation Preventive
    Establish and maintain a configuration change log. CC ID 08710 Configuration Detective
    Review the configuration change log. CC ID 11754 Configuration Detective
    Document approved configuration deviations. CC ID 08711 Establish/Maintain Documentation Corrective
    Document the organization's local environments. CC ID 06726 Establish/Maintain Documentation Preventive
    Establish and maintain local environment security profiles. CC ID 07037 Establish/Maintain Documentation Preventive
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039
    [Identify the missions, business functions, and mission/business processes that the system is intended to support. TASK P-8]
    Establish/Maintain Documentation Preventive
  • Physical and environmental protection
    283
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Physical and environmental protection CC ID 00709 IT Impact Zone IT Impact Zone
    Establish and maintain a physical security program. CC ID 11757
    [{security requirements} Define the security and privacy requirements for the system and the environment of operation. TASK P-15
    {security requirements} Define the security and privacy requirements for the system and the environment of operation. TASK P-15]
    Establish/Maintain Documentation Preventive
    Establish and maintain physical security plans. CC ID 13307
    [{security plans} Review and approve the security and privacy plans for the system and the environment of operation. TASK S-6]
    Establish/Maintain Documentation Preventive
    Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 Establish/Maintain Documentation Preventive
    Document any reasons for modifying or refraining from modifying the organization's physical security plan when the physical security plan has been reviewed. CC ID 13315 Establish/Maintain Documentation Preventive
    Conduct external audits of the organization's physical security plan. CC ID 13314 Audits and Risk Management Detective
    Establish and maintain physical security procedures. CC ID 13076
    [{security requirements} Allocate security and privacy requirements to the system and to the environment of operation. TASK P-17
    {security requirements} Allocate security and privacy requirements to the system and to the environment of operation. TASK P-17]
    Establish/Maintain Documentation Preventive
    Analyze and evaluate engineering systems. CC ID 13080 Physical and Environmental Protection Preventive
    Analyze and evaluate facilities and their structural elements. CC ID 13079 Physical and Environmental Protection Preventive
    Analyze and evaluate mechanical systems, as necessary. CC ID 13078 Physical and Environmental Protection Preventive
    Report damaged property to interested personnel or affected parties. CC ID 13702 Communicate Corrective
    Establish and maintain an anti-tamper protection program. CC ID 10638 Monitor and Evaluate Occurrences Detective
    Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 Configuration Preventive
    Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 Configuration Preventive
    Monitor for evidence of when tampering indicators are being identified. CC ID 11905 Monitor and Evaluate Occurrences Detective
    Inspect device surfaces to detect tampering. CC ID 11868 Investigate Detective
    Inspect device surfaces to detect unauthorized substitution. CC ID 11869 Investigate Detective
    Inspect for tampering at random intervals. CC ID 10640 Monitor and Evaluate Occurrences Detective
    Protect assets from tampering or unapproved substitution. CC ID 11902 Physical and Environmental Protection Preventive
    Establish and maintain a facility physical security program. CC ID 00711
    [Select the controls for the system and the environment of operation. TASK S-1
    {security controls} Allocate security and privacy controls to the system and to the environment of operation. TASK S-3
    {security controls} Allocate security and privacy controls to the system and to the environment of operation. TASK S-3]
    Establish/Maintain Documentation Preventive
    Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 Establish/Maintain Documentation Preventive
    Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 Behavior Preventive
    Protect the facility from crime. CC ID 06347 Physical and Environmental Protection Preventive
    Define communication methods for reporting crimes. CC ID 06349 Establish/Maintain Documentation Preventive
    Protect facilities from eavesdropping. CC ID 02222 Physical and Environmental Protection Preventive
    Inspect telephones for eavesdropping devices. CC ID 02223 Physical and Environmental Protection Detective
    Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 Physical and Environmental Protection Preventive
    Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 Physical and Environmental Protection Preventive
    Establish clear zones around any sensitive facilities. CC ID 02214 Physical and Environmental Protection Preventive
    Post and maintain security signage for all facilities. CC ID 02201 Establish/Maintain Documentation Preventive
    Inspect items brought into the facility. CC ID 06341 Physical and Environmental Protection Preventive
    Maintain all physical security systems. CC ID 02206 Physical and Environmental Protection Preventive
    Detect anomalies in physical barriers. CC ID 13533 Investigate Detective
    Maintain all security alarm systems. CC ID 11669 Physical and Environmental Protection Preventive
    Identify and document physical access controls for all physical entry points. CC ID 01637 Establish/Maintain Documentation Preventive
    Control physical access to (and within) the facility. CC ID 01329 Physical and Environmental Protection Preventive
    Define and implement access procedures for all organizational facilities and controlled access areas. CC ID 13629 Establish/Maintain Documentation Preventive
    Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 Physical and Environmental Protection Preventive
    Secure physical entry points with physical access controls or security guards. CC ID 01640 Physical and Environmental Protection Detective
    Configure the access control system to grant access only during authorized working hours. CC ID 12325 Physical and Environmental Protection Preventive
    Establish and maintain a visitor access permissions policy. CC ID 06699 Establish/Maintain Documentation Preventive
    Escort visitors within the facility, as necessary. CC ID 06417 Establish/Maintain Documentation Preventive
    Check the visitor's stated identity against a provided government issued identification. CC ID 06701 Physical and Environmental Protection Preventive
    Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 Testing Preventive
    Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 Behavior Preventive
    Establish and maintain procedures for changing a visitor's access requirements. CC ID 12048 Establish/Maintain Documentation Preventive
    Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 Establish/Maintain Documentation Preventive
    Authorize physical access to sensitive areas based on job functions. CC ID 12462 Establish/Maintain Documentation Preventive
    Review facility access lists. CC ID 01251 Establish/Maintain Documentation Detective
    Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 Physical and Environmental Protection Corrective
    Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 Monitor and Evaluate Occurrences Preventive
    Establish and maintain physical identification procedures. CC ID 00713 Establish/Maintain Documentation Preventive
    Implement physical identification processes. CC ID 13715 Process or Activity Preventive
    Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 Human Resources Management Preventive
    Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 Process or Activity Preventive
    Issue photo identification badges to all employees. CC ID 12326 Physical and Environmental Protection Preventive
    Implement operational requirements for card readers. CC ID 02225 Testing Preventive
    Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 Physical and Environmental Protection Preventive
    Document all lost badges in a lost badge list. CC ID 12448 Establish/Maintain Documentation Corrective
    Manage constituent identification inside the facility. CC ID 02215 Behavior Preventive
    Direct each employee to be responsible for their identification card or badge. CC ID 12332 Human Resources Management Preventive
    Manage visitor identification inside the facility. CC ID 11670 Physical and Environmental Protection Preventive
    Issue visitor identification badges to all non-employees. CC ID 00543 Behavior Preventive
    Secure unissued visitor identification badges. CC ID 06712 Physical and Environmental Protection Preventive
    Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 Behavior Preventive
    Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 Physical and Environmental Protection Preventive
    Establish and maintain identification issuance procedures for identification cards or badges. CC ID 06598 Establish/Maintain Documentation Preventive
    Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 Process or Activity Preventive
    Include error handling controls in identification issuance procedures. CC ID 13709 Establish/Maintain Documentation Preventive
    Include identity proofing processes in the identification issuance procedures. CC ID 06597 Process or Activity Preventive
    Include an identity registration process in the identification issuance procedures. CC ID 11671 Establish/Maintain Documentation Preventive
    Restrict access to the badge system to authorized personnel. CC ID 12043 Physical and Environmental Protection Preventive
    Enforce dual control for badge assignments. CC ID 12328 Physical and Environmental Protection Preventive
    Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 Physical and Environmental Protection Preventive
    Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 Physical and Environmental Protection Preventive
    Establish and maintain identification renewal procedures for identification cards or badges. CC ID 06599 Establish/Maintain Documentation Preventive
    Assign employees the responsibility for controlling their identification badges. CC ID 12333 Human Resources Management Preventive
    Establish and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 Establish/Maintain Documentation Preventive
    Establish and maintain identification mechanism termination procedures. CC ID 06306 Establish/Maintain Documentation Preventive
    Prevent tailgating through physical entry points. CC ID 06685 Physical and Environmental Protection Preventive
    Monitor for unauthorized physical access at physical entry points. CC ID 06797 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a door security standard. CC ID 06686 Establish/Maintain Documentation Preventive
    Install doors so that exposed hinges are on the secured side. CC ID 06687 Configuration Preventive
    Install emergency doors to permit egress only. CC ID 06688 Configuration Preventive
    Install contact alarms on doors, as necessary. CC ID 06710 Configuration Preventive
    Use locks to protect against unauthorized physical access. CC ID 06342 Physical and Environmental Protection Preventive
    Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 Configuration Preventive
    Test locks for physical security vulnerabilities. CC ID 04880 Testing Detective
    Secure non issued access mechanisms. CC ID 06713 Technical Security Preventive
    Establish and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 Establish/Maintain Documentation Preventive
    Change cipher lock codes, as necessary. CC ID 06651 Technical Security Preventive
    Change cipher lock codes upon authorized personnel status change or termination. CC ID 06652 Technical Security Preventive
    Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 Establish/Maintain Documentation Preventive
    Establish and maintain a window security standard. CC ID 06689 Establish/Maintain Documentation Preventive
    Install contact alarms on openable windows, as necessary. CC ID 06690 Configuration Preventive
    Install glass break alarms on windows, as necessary. CC ID 06691 Configuration Preventive
    Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 Establish/Maintain Documentation Preventive
    Install and maintain security lighting at all physical entry points. CC ID 02205 Physical and Environmental Protection Preventive
    Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 Physical and Environmental Protection Preventive
    Secure the loading dock with physical access controls or security guards. CC ID 06703 Physical and Environmental Protection Preventive
    Isolate loading areas from information processing facilities, if possible. CC ID 12028 Physical and Environmental Protection Preventive
    Screen incoming mail and deliveries. CC ID 06719 Physical and Environmental Protection Preventive
    Protect access to the facility's mechanical systems area. CC ID 02212 Physical and Environmental Protection Preventive
    Establish and maintain elevator security guidelines. CC ID 02232 Physical and Environmental Protection Preventive
    Establish and maintain stairwell security guidelines. CC ID 02233 Physical and Environmental Protection Preventive
    Establish and maintain glass opening security guidelines. CC ID 02234 Physical and Environmental Protection Preventive
    Establish, implement, and maintain after hours facility access procedures. CC ID 06340 Establish/Maintain Documentation Preventive
    Establish a security room, if necessary. CC ID 00738 Physical and Environmental Protection Preventive
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749 Physical and Environmental Protection Preventive
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and Environmental Protection Preventive
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and Environmental Protection Preventive
    Lock all lockable equipment cabinets. CC ID 11673 Physical and Environmental Protection Detective
    Establish and maintain vault physical security standards. CC ID 02203 Physical and Environmental Protection Preventive
    Establish and maintain a guideline for working in a secure area. CC ID 04538 Establish/Maintain Documentation Preventive
    Establish and maintain emergency re-entry procedures. CC ID 11672 Establish/Maintain Documentation Preventive
    Establish and maintain emergency exit procedures. CC ID 01252 Establish/Maintain Documentation Preventive
    Monitor entry through all physical entry points. CC ID 01638 Monitor and Evaluate Occurrences Detective
    Establish and maintain a visitor log. CC ID 00715 Log Management Preventive
    Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 Establish/Maintain Documentation Preventive
    Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 Behavior Preventive
    Record the visitor's name in the visitor log. CC ID 00557 Log Management Preventive
    Record the visitor's organization in the visitor log. CC ID 12121 Log Management Preventive
    Record the visitor's acceptable access areas in the visitor log. CC ID 12237 Log Management Preventive
    Record the date and time of entry in the visitor log. CC ID 13255 Establish/Maintain Documentation Preventive
    Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 Establish/Maintain Documentation Preventive
    Retain all records in the visitor log as prescribed by law. CC ID 00572 Log Management Preventive
    Review visitor logs, as necessary. CC ID 10625 Establish/Maintain Documentation Detective
    Establish and maintain a physical access log. CC ID 12080 Establish/Maintain Documentation Preventive
    Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 Log Management Preventive
    Log when the vault is accessed. CC ID 06725 Log Management Detective
    Log when the cabinet is accessed. CC ID 11674 Log Management Detective
    Store facility access logs in off-site storage. CC ID 06958 Log Management Preventive
    Review physical access logs, as necessary. CC ID 10624 Establish/Maintain Documentation Detective
    Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 Monitor and Evaluate Occurrences Preventive
    Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 Monitor and Evaluate Occurrences Detective
    Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 Monitor and Evaluate Occurrences Detective
    Configure video cameras to cover all physical entry points. CC ID 06302 Configuration Preventive
    Configure video cameras to prevent physical tampering or disablement. CC ID 06303 Configuration Preventive
    Retain video events according to Records Management procedures. CC ID 06304 Records Management Preventive
    Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 Monitor and Evaluate Occurrences Detective
    Monitor physical entry point alarms. CC ID 01639 Physical and Environmental Protection Detective
    Monitor for alarmed security doors being propped open. CC ID 06684 Monitor and Evaluate Occurrences Detective
    Establish and maintain physical security threat reports. CC ID 02207 Establish/Maintain Documentation Preventive
    Build and maintain fencing, as necessary. CC ID 02235 Physical and Environmental Protection Preventive
    Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 Physical and Environmental Protection Preventive
    Employ security guards to provide physical security, as necessary. CC ID 06653 Establish Roles Preventive
    Establish and maintain a facility wall standard. CC ID 06692 Establish/Maintain Documentation Preventive
    Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 Physical and Environmental Protection Preventive
    Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 Configuration Preventive
    Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 Behavior Preventive
    Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 Behavior Preventive
    Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 Business Processes Preventive
    Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 Behavior Preventive
    Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 Behavior Preventive
    Establish and maintain physical security controls for distributed Information Technology assets. CC ID 00718 Physical and Environmental Protection Preventive
    Restrict physical access to distributed Information Technology assets. CC ID 11865 Physical and Environmental Protection Preventive
    House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 Physical and Environmental Protection Preventive
    Protect electronic storage media with physical access controls. CC ID 00720 Physical and Environmental Protection Preventive
    Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a media protection policy. CC ID 14029 Establish/Maintain Documentation Preventive
    Establish and maintain removable storage media controls. CC ID 06680 Data and Information Management Preventive
    Control access to restricted storage media. CC ID 04889 Data and Information Management Preventive
    Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 Physical and Environmental Protection Preventive
    Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 Records Management Preventive
    Treat archive media as evidence. CC ID 00960 Records Management Preventive
    Log the transfer of removable storage media. CC ID 12322 Log Management Preventive
    Establish and maintain storage media access control procedures. CC ID 00959 Establish/Maintain Documentation Preventive
    Require removable storage media be in the custody of an authorized individual. CC ID 12319 Behavior Preventive
    Control the storage of restricted storage media. CC ID 00965 Records Management Preventive
    Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 Physical and Environmental Protection Preventive
    Protect the combinations for all combination locks. CC ID 02199 Physical and Environmental Protection Preventive
    Establish and maintain electronic media storage container repair guidelines. CC ID 02200 Establish/Maintain Documentation Preventive
    Establish and maintain eavesdropping protection for vaults. CC ID 02231 Physical and Environmental Protection Preventive
    Serialize all removable storage media. CC ID 00949 Configuration Preventive
    Control the transiting and internal distribution or external distribution of restricted storage media. CC ID 00963 Records Management Preventive
    Log the transferring of custody of removable storage media. CC ID 12321 Log Management Preventive
    Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 Records Management Preventive
    Transport restricted media using a delivery method that can be tracked. CC ID 11777 Business Processes Preventive
    Track restricted storage media while it is in transit. CC ID 00967 Data and Information Management Detective
    Protect distributed Information Technology assets against theft. CC ID 06799 Physical and Environmental Protection Preventive
    Establish and maintain an Information Technology asset removal policy. CC ID 13162 Establish/Maintain Documentation Preventive
    Specify the assets to be returned or removed in the Information Technology asset removal policy. CC ID 13163 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Information Technology asset removal policy to interested personnel and affected parties. CC ID 13160 Communicate Preventive
    Establish and maintain Information Technology asset removal procedures. CC ID 04540 Establish/Maintain Documentation Preventive
    Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 Process or Activity Preventive
    Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 Physical and Environmental Protection Preventive
    Control the removal of assets through physical entry points and physical exit points. CC ID 11681 Physical and Environmental Protection Preventive
    Establish and maintain on-site logical controls for all distributed Information Technology assets. CC ID 11682 Technical Security Preventive
    Establish and maintain off-site logical controls for all distributed Information Technology assets. CC ID 11683 Technical Security Preventive
    Establish, implement, and maintain on-site physical controls for all distributed Information Technology assets. CC ID 04820 Physical and Environmental Protection Preventive
    Establish and maintain off-site physical controls for all distributed Information Technology assets. CC ID 04539 Physical and Environmental Protection Preventive
    Establish and maintain report missing asset procedures. CC ID 06336 Establish/Maintain Documentation Preventive
    Attach asset location technologies to distributed Information Technology assets. CC ID 10626 Physical and Environmental Protection Detective
    Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 Physical and Environmental Protection Preventive
    Monitor the location of distributed Information Technology assets. CC ID 11684 Monitor and Evaluate Occurrences Detective
    Remote lock any distributed Information Technology assets reported lost or stolen. CC ID 14008 Technical Security Corrective
    Remote wipe any distributed Information Technology asset reported lost or stolen. CC ID 12197 Process or Activity Corrective
    Unpair missing Bluetooth devices. CC ID 12428 Physical and Environmental Protection Corrective
    Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 Establish/Maintain Documentation Preventive
    Establish and maintain a locking screen saver policy. CC ID 06717 Establish/Maintain Documentation Preventive
    Secure workstations to desks with security cables. CC ID 04724 Physical and Environmental Protection Preventive
    Establish and maintain mobile device security guidelines. CC ID 04723 Establish/Maintain Documentation Preventive
    Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 Establish/Maintain Documentation Preventive
    Include legal requirements in the mobile device security guidelines. CC ID 12291 Establish/Maintain Documentation Preventive
    Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 Establish/Maintain Documentation Preventive
    Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 Establish/Maintain Documentation Preventive
    Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 Establish/Maintain Documentation Preventive
    Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 Physical and Environmental Protection Preventive
    Implement mobile device security guidelines. CC ID 06353 Physical and Environmental Protection Preventive
    Refrain from pairing bluetooth devices in unsecured areas. CC ID 12429 Physical and Environmental Protection Preventive
    Encrypt information stored on mobile devices. CC ID 01422 Data and Information Management Preventive
    Remove dormant systems from the network, as necessary. CC ID 13727 Process or Activity Corrective
    Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 Physical and Environmental Protection Preventive
    Position computer monitors in such a way that unauthorized personnel are prevented from viewing them. CC ID 01437 Physical and Environmental Protection Preventive
    Establish and maintain asset return procedures. CC ID 04537 Establish/Maintain Documentation Preventive
    Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 Behavior Preventive
    Require the return of all assets upon notification an individual is terminated. CC ID 06679 Behavior Preventive
    Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 Behavior Preventive
    Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 Behavior Preventive
    Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 Configuration Preventive
    Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 Investigate Detective
    Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 Monitor and Evaluate Occurrences Corrective
    Prohibit the use of computers with camera capability near restricted data or restricted information, absent authorization. CC ID 04598 Behavior Preventive
    Establish and maintain open storage container procedures. CC ID 02198 Establish/Maintain Documentation Preventive
    Establish and maintain a physical clean desk policy. CC ID 06534 Establish/Maintain Documentation Preventive
    Establish and maintain a clear screen policy. CC ID 12436 Technical Security Preventive
    Establish and maintain contact card reader security guidelines. CC ID 06588 Establish/Maintain Documentation Preventive
    Establish and maintain contactless card reader security guidelines. CC ID 06589 Establish/Maintain Documentation Preventive
    Establish and maintain Personal Identification Number input device security guidelines. CC ID 06590 Establish/Maintain Documentation Preventive
    Identify customer property within the organizational facility. CC ID 06612 Physical and Environmental Protection Preventive
    Protect customer property under the care of the organization. CC ID 11685 Physical and Environmental Protection Preventive
    Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 Technical Security Preventive
    Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 Configuration Preventive
    Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 Technical Security Preventive
    Provide storage media shelving capable of bearing all potential loads. CC ID 11400 Physical and Environmental Protection Preventive
    Establish and maintain proper aircraft security. CC ID 02213 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a vehicle access program. CC ID 02216 Establish/Maintain Documentation Preventive
    Establish parking requirements for vehicles. CC ID 02218 Physical and Environmental Protection Preventive
    Establish and maintain proper container security. CC ID 02208 Physical and Environmental Protection Preventive
    Inspect the physical integrity of all containers before loading the containers. CC ID 02209 Physical and Environmental Protection Detective
    Lock closable storage containers. CC ID 06307 Physical and Environmental Protection Preventive
    Establish and maintain returned card procedures, as necessary. CC ID 13567 Establish/Maintain Documentation Preventive
    Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 Business Processes Preventive
    Establish and maintain the physical security of non-issued payment cards. CC ID 06402 Establish/Maintain Documentation Preventive
    Control the issuance of payment cards. CC ID 06403 Physical and Environmental Protection Preventive
    Inventory payment cards, as necessary. CC ID 13547 Records Management Preventive
    Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 Physical and Environmental Protection Preventive
    Deliver payment cards to customers using secure methods. CC ID 06405 Physical and Environmental Protection Preventive
    Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 Business Processes Preventive
    Establish and implement payment card usage security measures. CC ID 06406 Establish/Maintain Documentation Preventive
    Notify customers about payment card usage security measures. CC ID 06407 Behavior Preventive
    Establish and maintain physical security of assets used for publicity. CC ID 06724 Physical and Environmental Protection Preventive
    Install and protect network cabling. CC ID 08624 Physical and Environmental Protection Preventive
    Control physical access to network cables. CC ID 00723 Process or Activity Preventive
    Install and protect fiber optic cable, as necessary. CC ID 08625 Physical and Environmental Protection Preventive
    Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 Physical and Environmental Protection Preventive
    Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 Physical and Environmental Protection Detective
    Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 Physical and Environmental Protection Preventive
    Install network cable in a way that allows ease of inspecting. CC ID 08626 Physical and Environmental Protection Preventive
    Inspect network cabling at distances determined by security classification. CC ID 08644 Physical and Environmental Protection Detective
    Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 Physical and Environmental Protection Preventive
    Establish and maintain security classifications for network cabling. CC ID 08627 Establish/Maintain Documentation Preventive
    Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 Physical and Environmental Protection Preventive
    Label each end of a network cable run. CC ID 08632 Physical and Environmental Protection Preventive
    Terminate approved network cables on the patch panel. CC ID 08633 Physical and Environmental Protection Preventive
    Establish and maintain documentation for network cabling schemes. CC ID 08641 Establish/Maintain Documentation Preventive
    Prevent installing network cabling inside walls shared with third parties. CC ID 08648 Physical and Environmental Protection Preventive
    Install network cabling specifically for maintenance purposes. CC ID 10613 Physical and Environmental Protection Preventive
    Install and maintain network jacks and outlet boxes. CC ID 08635 Physical and Environmental Protection Preventive
    Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 Physical and Environmental Protection Preventive
    Label network cabling outlet boxes. CC ID 08631 Physical and Environmental Protection Preventive
    Enable network jacks at the patch panel, as necessary. CC ID 06305 Configuration Preventive
    Implement logical controls to enable network jacks, as necessary. CC ID 11934 Physical and Environmental Protection Preventive
    Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 Physical and Environmental Protection Preventive
    Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 Physical and Environmental Protection Preventive
    Install and maintain network patch panels. CC ID 08636 Physical and Environmental Protection Preventive
    Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 Physical and Environmental Protection Preventive
    Assign access to network patch panels on a need to know basis. CC ID 08638 Physical and Environmental Protection Preventive
    Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 Physical and Environmental Protection Preventive
    Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 Physical and Environmental Protection Preventive
    Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 Physical and Environmental Protection Preventive
    Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 Physical and Environmental Protection Preventive
    Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 Physical and Environmental Protection Preventive
  • Privacy protection for information and data
    880
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish and maintain a privacy framework that protects restricted data. CC ID 11850
    [{security controls} Allocate security and privacy controls to the system and to the environment of operation. TASK S-3]
    Establish/Maintain Documentation Preventive
    Establish and maintain a personal data transparency and openness program. CC ID 00375 Data and Information Management Preventive
    Establish and maintain privacy notices, as necessary. CC ID 13443 Establish/Maintain Documentation Preventive
    Include the purpose of the privacy notice in the privacy notice. CC ID 13526 Establish/Maintain Documentation Preventive
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 Establish/Maintain Documentation Preventive
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Establish/Maintain Documentation Preventive
    Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 Establish/Maintain Documentation Preventive
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 Establish/Maintain Documentation Preventive
    Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 Establish/Maintain Documentation Preventive
    Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 Establish/Maintain Documentation Preventive
    Include the personal data collection categories in the privacy notice. CC ID 13457 Establish/Maintain Documentation Preventive
    Include disclosure exceptions in the privacy notice. CC ID 13447 Establish/Maintain Documentation Preventive
    Include the types of personal data disclosed in the privacy notice. CC ID 13446 Establish/Maintain Documentation Preventive
    Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 Establish/Maintain Documentation Preventive
    Specify the time frame that notice will be given. CC ID 00385 Establish/Maintain Documentation Preventive
    Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 Establish/Maintain Documentation Preventive
    Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 Communicate Preventive
    Deliver privacy notices to data subjects, as necessary. CC ID 13444 Communicate Preventive
    Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 Establish/Maintain Documentation Preventive
    Update and redeliver privacy notices, as necessary. CC ID 13474 Communicate Preventive
    Deliver privacy notices to third parties, as necessary. CC ID 13473 Communicate Preventive
    Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 Establish/Maintain Documentation Preventive
    Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 Establish/Maintain Documentation Preventive
    Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 Establish/Maintain Documentation Preventive
    Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain opt-out notices, as necessary. CC ID 13448 Establish/Maintain Documentation Preventive
    Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 Establish/Maintain Documentation Preventive
    Include the opt out method for data subjects in the opt-out notice. CC ID 13467 Establish/Maintain Documentation Preventive
    Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 Establish/Maintain Documentation Preventive
    Explain the right to opt out in the opt-out notice. CC ID 13462 Establish/Maintain Documentation Preventive
    Include the organization's right to share personal data in the opt-out notice. CC ID 13450 Establish/Maintain Documentation Preventive
    Deliver opt-out notices, as necessary. CC ID 13449 Communicate Preventive
    Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 Communicate Preventive
    Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 Communicate Preventive
    Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 Communicate Preventive
    Notify statutory authorities concerned with the privacy program of the cessation of the organization after being merged or acquired. CC ID 12391 Communicate Preventive
    Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 Communicate Preventive
    Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 Communicate Preventive
    Provide the data subject with a notice of participation procedures. CC ID 06241 Establish/Maintain Documentation Preventive
    Deliver notices to the intended parties. CC ID 06240 Data and Information Management Preventive
    Notify data subjects about their privacy rights. CC ID 12989 Communicate Preventive
    Disseminate and communicate the critical third party list with relevance to the privacy program to all affected parties. CC ID 12352 Communicate Preventive
    Require a data protection impact assessment when profiling the data subject. CC ID 12680 Process or Activity Detective
    Establish, implement, and maintain adequate openness procedures. CC ID 00377 Data and Information Management Preventive
    Provide public proof the organization participates in a privacy program. CC ID 12349 Communicate Preventive
    Publish a description of activities about processing personal data in an official register. CC ID 00379 Establish/Maintain Documentation Preventive
    Establish and maintain a records request manual. CC ID 00381 Establish/Maintain Documentation Preventive
    Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 Establish/Maintain Documentation Preventive
    Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 Behavior Preventive
    Define what is included in registration notices. CC ID 00386 Establish/Maintain Documentation Preventive
    Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 Establish/Maintain Documentation Preventive
    Include a purpose specification description in the registration notice. CC ID 00388 Establish/Maintain Documentation Preventive
    Include the data subject category being processed in the registration notice. CC ID 00389 Establish/Maintain Documentation Preventive
    Include the time period for data processing in the registration notice. CC ID 00390 Establish/Maintain Documentation Preventive
    Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 Establish/Maintain Documentation Preventive
    Provide legal authorities access to personal data, upon request. CC ID 06818 Data and Information Management Preventive
    Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 Process or Activity Preventive
    Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 Establish/Maintain Documentation Preventive
    Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 Establish/Maintain Documentation Preventive
    Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 Establish/Maintain Documentation Preventive
    Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 Process or Activity Preventive
    Document the countries where personal data may be stored. CC ID 12750 Data and Information Management Preventive
    Protect the rights of students and their parents. CC ID 00222 Data and Information Management Preventive
    Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 Technical Security Preventive
    Refrain from allowing students the right to inspect parent's financial records. CC ID 13025 Records Management Preventive
    Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 Records Management Preventive
    Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 Records Management Corrective
    Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 Records Management Corrective
    Disseminate and communicate the annual notification of rights to both parents and students. CC ID 12996 Establish/Maintain Documentation Preventive
    Include the criteria for determining what constitutes a legitimate educational interest in the annual notification of rights. CC ID 13004 Establish/Maintain Documentation Preventive
    Include the criteria for determining what constitutes a school official in the annual notification of rights. CC ID 13003 Establish/Maintain Documentation Preventive
    Disclose educational data, as necessary. CC ID 00223 Data and Information Management Preventive
    Grant access to education records in support of educational program audits. CC ID 13032 Records Management Preventive
    Grant access to education records in support of external requirements. CC ID 13033 Records Management Preventive
    Disclose statements added to education records, as necessary. CC ID 12990 Communicate Preventive
    Obtain explicit consent from parents or students prior to using or disclosing educational data. CC ID 00220 Data and Information Management Preventive
    Disclose education records when written consent is received. CC ID 00224 Data and Information Management Preventive
    Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 Establish/Maintain Documentation Preventive
    Specify the purpose of the disclosure in the written consent. CC ID 13001 Establish/Maintain Documentation Preventive
    Specify which education records may be disclosed in the written consent. CC ID 13000 Establish/Maintain Documentation Preventive
    Document the conditions when consent is not required to disclose educational data. CC ID 00225 Establish/Maintain Documentation Preventive
    Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 Communicate Preventive
    Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 Communicate Preventive
    Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 Communicate Preventive
    Disclose educational data absent consent to other school officials. CC ID 00226 Data and Information Management Preventive
    Disclose educational data absent consent to another institution's school officials. CC ID 00227 Data and Information Management Preventive
    Disclose educational data absent consent in connection with financial aid. CC ID 00229 Data and Information Management Preventive
    Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 Data and Information Management Preventive
    Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 Communicate Preventive
    Disclose educational data absent consent to accrediting organizations. CC ID 00231 Data and Information Management Preventive
    Disclose educational data absent consent to a dependent student's parents. CC ID 00232 Data and Information Management Preventive
    Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 Data and Information Management Preventive
    Disclose educational data absent consent for a health and safety emergency. CC ID 00234 Data and Information Management Preventive
    Disclose educational data absent consent when it is merely directory information. CC ID 00235 Data and Information Management Preventive
    Disclose educational data absent consent to a crime victim. CC ID 00236 Data and Information Management Preventive
    Record the health and safety threats of students when disclosing personal data. CC ID 12997 Establish/Maintain Documentation Preventive
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Communicate Preventive
    Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 Communicate Preventive
    Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 Communicate Preventive
    Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 Communicate Preventive
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 Communicate Preventive
    Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 Communicate Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Establish/Maintain Documentation Preventive
    Provide the data subject with the data retention period for personal data. CC ID 12587 Process or Activity Preventive
    Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 Process or Activity Preventive
    Provide the data subject with the adequacy decision. CC ID 12586 Process or Activity Preventive
    Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 Process or Activity Preventive
    Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 Process or Activity Preventive
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 Data and Information Management Preventive
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 Business Processes Preventive
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Business Processes Preventive
    Notify the data subject of the right to data portability. CC ID 12603 Process or Activity Preventive
    Provide the data subject with information about the right to erasure. CC ID 12602 Process or Activity Preventive
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 Establish/Maintain Documentation Preventive
    Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 Data and Information Management Preventive
    Include individual's names to whom personal data may be disclosed in the disclosure accounting record. CC ID 13027 Establish/Maintain Documentation Preventive
    Establish and maintain a disclosure accounting record. CC ID 13022 Establish/Maintain Documentation Preventive
    Include the official authorities that are allowed to disclose personal data absent consent in the disclosure accounting record. CC ID 13029 Establish/Maintain Documentation Preventive
    Include the legitimate interests for accessing personal data in the disclosure accounting record. CC ID 13028 Establish/Maintain Documentation Preventive
    Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 Establish/Maintain Documentation Preventive
    Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 Establish/Maintain Documentation Preventive
    Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 Establish/Maintain Documentation Preventive
    Include the disclosure date in the disclosure accounting record. CC ID 07133 Establish/Maintain Documentation Preventive
    Include the disclosure recipient in the disclosure accounting record. CC ID 07134 Establish/Maintain Documentation Preventive
    Include the disclosure purpose in the disclosure accounting record. CC ID 07135 Establish/Maintain Documentation Preventive
    Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 Establish/Maintain Documentation Preventive
    Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 Establish/Maintain Documentation Preventive
    Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 Establish/Maintain Documentation Preventive
    Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 Establish/Maintain Documentation Preventive
    Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 Establish/Maintain Documentation Preventive
    Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 Establish/Maintain Documentation Preventive
    Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 Establish/Maintain Documentation Preventive
    Provide shareholders access to electronic messages via electronic means. CC ID 11855 Process or Activity Preventive
    Make telephone directory information available to the public. CC ID 08698 Establish/Maintain Documentation Preventive
    Display warning screens and confirmation screens for all payment transactions. CC ID 06409 Technical Security Preventive
    Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 Establish/Maintain Documentation Preventive
    Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 Process or Activity Preventive
    Establish and maintain a privacy policy. CC ID 06281
    [{security plans} Review and approve the security and privacy plans for the system and the environment of operation. TASK S-6
    {security plans} Review and approve the security and privacy plans for the system and the environment of operation. TASK S-6]
    Establish/Maintain Documentation Preventive
    Document privacy policies in clearly written and easily understood language. CC ID 00376 Establish/Maintain Documentation Detective
    Define what is included in the privacy policy. CC ID 00404 Establish/Maintain Documentation Preventive
    Define the information being collected in the privacy policy. CC ID 13115 Establish/Maintain Documentation Preventive
    Include the means by which information is collected in the privacy policy. CC ID 13114 Establish/Maintain Documentation Preventive
    Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 Establish/Maintain Documentation Preventive
    Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 Establish/Maintain Documentation Corrective
    Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 Establish/Maintain Documentation Preventive
    Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 Establish/Maintain Documentation Corrective
    Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 Establish/Maintain Documentation Preventive
    Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 Establish/Maintain Documentation Preventive
    Include a complaint form in the privacy policy. CC ID 12364 Establish/Maintain Documentation Preventive
    Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 Establish/Maintain Documentation Preventive
    Include the processing purpose in the privacy policy. CC ID 00406 Establish/Maintain Documentation Preventive
    Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117
    [{security plans} Document the controls for the system and environment of operation in security and privacy plans. TASK S-4
    {security plans} Document the controls for the system and environment of operation in security and privacy plans. TASK S-4]
    Establish/Maintain Documentation Preventive
    Include the data subject categories being processed in the privacy policy. CC ID 00407 Establish/Maintain Documentation Preventive
    Define the retention period for collected information in the privacy policy. CC ID 13116 Establish/Maintain Documentation Preventive
    Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 Establish/Maintain Documentation Preventive
    Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 Establish/Maintain Documentation Preventive
    Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 Establish/Maintain Documentation Preventive
    Include instructions on how to opt-out in the privacy policy. CC ID 00411 Establish/Maintain Documentation Preventive
    Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 Establish/Maintain Documentation Preventive
    Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 Establish/Maintain Documentation Preventive
    Post the privacy policy in an easily seen location. CC ID 00401 Establish/Maintain Documentation Preventive
    Define who will receive the privacy policy. CC ID 00402 Establish/Maintain Documentation Preventive
    Disseminate and communicate the privacy policy, as necessary. CC ID 13346 Communicate Preventive
    Update the privacy policy, as necessary. CC ID 06259
    [{security plan} {privacy plan} {risk assessment report} Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. Task M-4]
    Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 Behavior Preventive
    Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 Establish/Maintain Documentation Preventive
    Establish and maintain personal data Choice and Consent program. CC ID 12569 Establish/Maintain Documentation Preventive
    Refrain from charging a fee to implement an opt-out request. CC ID 13877 Business Processes Preventive
    Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 Establish/Maintain Documentation Preventive
    Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 Establish/Maintain Documentation Preventive
    Include procedures for revoking authorization of consent to use personal data in the disclosure authorization. CC ID 13438 Establish/Maintain Documentation Preventive
    Include the recipients of the disclosed personal data in the disclosure authorization. CC ID 13440 Establish/Maintain Documentation Preventive
    Include the signature of the data subject and the signing date in the disclosure authorization. CC ID 13439 Establish/Maintain Documentation Preventive
    Include the identity of the data subject in the disclosure authorization form. CC ID 13436 Establish/Maintain Documentation Preventive
    Include the types of personal data to be disclosed in the disclosure authorization. CC ID 13442 Establish/Maintain Documentation Preventive
    Include how personal data will be used in the disclosure authorization. CC ID 13441 Establish/Maintain Documentation Preventive
    Include agreement termination information in the disclosure authorization. CC ID 13437 Establish/Maintain Documentation Preventive
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 Business Processes Preventive
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Business Processes Preventive
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 Data and Information Management Preventive
    Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 Business Processes Preventive
    Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 Business Processes Preventive
    Refrain from discriminating against data subjects who have refrained from granting an authorization of consent to use personal data. CC ID 13435 Human Resources Management Preventive
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 Business Processes Preventive
    Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 Establish/Maintain Documentation Preventive
    Collect and retain disclosure authorizations for each data subject. CC ID 13434 Records Management Preventive
    Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 Data and Information Management Preventive
    Refrain from obtaining consent through deception. CC ID 13556 Data and Information Management Preventive
    Give individuals the ability to change the uses of their personal data. CC ID 00469 Data and Information Management Preventive
    Notify data subjects of the implications of withdrawing consent. CC ID 13551 Data and Information Management Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Establish/Maintain Documentation Preventive
    Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 Human Resources Management Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Establish Roles Preventive
    Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 Human Resources Management Preventive
    Notify the supervisory authority. CC ID 00472 Behavior Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 Process or Activity Preventive
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Communicate Preventive
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 Communicate Corrective
    Cooperate with Data Protection Authorities. CC ID 06870 Data and Information Management Preventive
    Submit a safe harbor self-certification letter. CC ID 06871 Establish/Maintain Documentation Preventive
    Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 Human Resources Management Preventive
    Establish and maintain Binding Corporate Rules for the international transfers of personal data. CC ID 12584 Establish/Maintain Documentation Preventive
    Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 Establish/Maintain Documentation Preventive
    Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 Establish/Maintain Documentation Preventive
    Include data subject's rights in the Binding Corporate Rules. CC ID 12596 Establish/Maintain Documentation Preventive
    Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 Establish/Maintain Documentation Preventive
    Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 Establish/Maintain Documentation Preventive
    Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 Establish/Maintain Documentation Preventive
    Include the mechanisms for reporting legal requirements causing adverse effects on protecting personal data in the Binding Corporate Rules. CC ID 12620 Establish/Maintain Documentation Preventive
    Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 Establish/Maintain Documentation Preventive
    Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 Establish/Maintain Documentation Preventive
    Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 Establish/Maintain Documentation Preventive
    Include complaint procedures in the Binding Corporate Rules. CC ID 12613 Establish/Maintain Documentation Preventive
    Include the data transfers in the Binding Corporate Rules. CC ID 12590 Establish/Maintain Documentation Preventive
    Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 Establish/Maintain Documentation Preventive
    Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 Establish/Maintain Documentation Preventive
    Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 Establish/Maintain Documentation Preventive
    Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 Establish/Maintain Documentation Preventive
    Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 Establish/Maintain Documentation Preventive
    Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 Establish/Maintain Documentation Preventive
    Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 Establish/Maintain Documentation Preventive
    Notify the data controller of any changes in data processors. CC ID 12648 Communicate Preventive
    Establish and maintain Data Processing Contracts, as necessary. CC ID 12650 Establish/Maintain Documentation Preventive
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 Establish/Maintain Documentation Preventive
    Include the stipulation of notifying the data controller of legal requirements prior to processing personal data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Establish/Maintain Documentation Preventive
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Establish/Maintain Documentation Preventive
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 Establish/Maintain Documentation Preventive
    Include the stipulation that Report on Compliance will be made available in the Data Processing Contract. CC ID 12678 Establish/Maintain Documentation Preventive
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 Establish/Maintain Documentation Preventive
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 Human Resources Management Preventive
    Include the stipulation that copies of personal data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 Establish/Maintain Documentation Preventive
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Establish/Maintain Documentation Preventive
    Establish and maintain a personal data use limitation program. CC ID 13428 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Establish/Maintain Documentation Preventive
    Display or print the least amount of personal data necessary. CC ID 04643 Data and Information Management Preventive
    Redact confidential information from public information, as necessary. CC ID 06872 Data and Information Management Preventive
    Notify the data subject of the collection purpose. CC ID 00095 Behavior Preventive
    Do not use personal data collected for research and statistics for other purposes. CC ID 00096 Data and Information Management Preventive
    Document the law that requires personal data to be collected. CC ID 00103 Establish/Maintain Documentation Preventive
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Behavior Preventive
    Notify the data subject of changes to personal data use. CC ID 00105 Behavior Preventive
    Establish, implement, and maintain personal data use change of purpose procedures. CC ID 00106 Establish/Maintain Documentation Preventive
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Establish/Maintain Documentation Preventive
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 Establish/Maintain Documentation Preventive
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Establish/Maintain Documentation Preventive
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Behavior Preventive
    Document personal data that is disclosed for an acceptable secondary purpose. CC ID 00124 Establish/Maintain Documentation Preventive
    Dispose of media and personal data in a timely manner. CC ID 00125 Data and Information Management Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Records Management Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Communicate Preventive
    Establish and maintain personal data access procedures. CC ID 00414 Establish/Maintain Documentation Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Data and Information Management Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Data and Information Management Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Data and Information Management Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Data and Information Management Preventive
    Provide assistance to data subject's in preparing personal data access requests. CC ID 13588 Data and Information Management Preventive
    Require personal data access requests to be in writing, unless the requester is unable. CC ID 00420 Establish/Maintain Documentation Preventive
    Define what is to be included in a personal data access request. CC ID 08699 Establish/Maintain Documentation Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Business Processes Preventive
    Respond to personal data access requests in a timely manner. CC ID 00421 Behavior Preventive
    Notify the individual of the reasons for delays in responding to personal data access requests. CC ID 00422 Behavior Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Behavior Detective
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Establish/Maintain Documentation Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Data and Information Management Preventive
    Establish and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Establish/Maintain Documentation Preventive
    Submit personal data removal requests in writing. CC ID 11973 Records Management Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Establish/Maintain Documentation Preventive
    Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 Records Management Corrective
    Notify third parties of personal data access requests that relates to the third party. CC ID 08703 Establish/Maintain Documentation Preventive
    Allow affected third parties to consent or object to a personal data access request. CC ID 08704 Process or Activity Preventive
    Establish and maintain personal data use limitation procedures. CC ID 00128 Establish/Maintain Documentation Preventive
    Disclose de-identified data, as necessary. CC ID 13034 Communicate Preventive
    Notify the data subject after personal data is used or disclosed. CC ID 06247 Behavior Preventive
    Refrain from processing personal data, as necessary. CC ID 12551 Records Management Preventive
    Refrain from processing personal data if the personal data is involved in a legal claim. CC ID 12668 Process or Activity Preventive
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 Process or Activity Detective
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 Process or Activity Preventive
    Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 Process or Activity Preventive
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 Data and Information Management Preventive
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Business Processes Preventive
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Business Processes Preventive
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Business Processes Preventive
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Business Processes Preventive
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Business Processes Preventive
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Business Processes Preventive
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Business Processes Preventive
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Business Processes Preventive
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Business Processes Preventive
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Business Processes Preventive
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Process or Activity Preventive
    Establish and maintain a record of processing activities when processing personal data. CC ID 12636 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 Establish/Maintain Documentation Preventive
    Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 Establish/Maintain Documentation Preventive
    Include the data protection officer's contact information in the record of processing activities. CC ID 12640 Records Management Preventive
    Include the data processor's contact information in the record of processing activities. CC ID 12657 Records Management Preventive
    Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 Records Management Preventive
    Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 Records Management Preventive
    Include a description of the data subject categories in the record of processing activities. CC ID 12659 Records Management Preventive
    Include the purpose of the personal data processing in the record of processing activities. CC ID 12663 Records Management Preventive
    Include the personal data processing categories in the record of processing activities. CC ID 12661 Records Management Preventive
    Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 Records Management Preventive
    Include the data recipient categories to whom personal data has been or will be disclosed in the record of processing activities. CC ID 12664 Records Management Preventive
    Include a description of the personal data categories in the record of processing activities. CC ID 12660 Records Management Preventive
    Include the joint data controller's contact information in the record of processing activities. CC ID 12639 Records Management Preventive
    Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 Records Management Preventive
    Include documentation of the transferee's safeguards for transferring personal data in the record of processing activities. CC ID 12643 Records Management Preventive
    Include the identification of transferees for transferring personal data in the record of processing activities. CC ID 12642 Records Management Preventive
    Include the data controller's contact information in the record of processing activities. CC ID 12637 Records Management Preventive
    Process personal data lawfully and carefully. CC ID 00086 Establish Roles Preventive
    Analyze requirements for processing personal data in contracts. CC ID 12550 Investigate Detective
    Implement technical controls that limit processing personal data for specific purposes. CC ID 12646
    [{security plans} Implement the controls in the security and privacy plans. TASK I-1]
    Technical Security Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Data and Information Management Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Communicate Corrective
    Refrain from disclosing individually identifiable health information when in violation of territorial or federal law. CC ID 11966 Records Management Preventive
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Data and Information Management Preventive
    Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 Records Management Preventive
    Rely upon the warrant of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Process or Activity Preventive
    Rely upon the warrant of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 Records Management Preventive
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Data and Information Management Preventive
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Establish/Maintain Documentation Preventive
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Establish/Maintain Documentation Preventive
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Data and Information Management Preventive
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Data and Information Management Preventive
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Establish/Maintain Documentation Preventive
    Define and implement valid authorization control requirements. CC ID 06258 Establish/Maintain Documentation Preventive
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Data and Information Management Preventive
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Data and Information Management Preventive
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Data and Information Management Preventive
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Data and Information Management Preventive
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Data and Information Management Preventive
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Data and Information Management Preventive
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Data and Information Management Preventive
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Data and Information Management Preventive
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Data and Information Management Preventive
    Process personal data when it is processed during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 Data and Information Management Preventive
    Process traffic data in a controlled manner. CC ID 00130 Data and Information Management Preventive
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Data and Information Management Preventive
    Process personal data when it is publicly accessible. CC ID 00187 Data and Information Management Preventive
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Data and Information Management Preventive
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010 Business Processes Preventive
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Communicate Corrective
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Data and Information Management Preventive
    Process personal data for debt collection or benefit payments. CC ID 00190 Data and Information Management Preventive
    Process personal data in order to advance the public interest. CC ID 00191 Data and Information Management Preventive
    Process personal data for surveys, archives, or scientific research. CC ID 00192 Data and Information Management Preventive
    Process personal data for journalistic purposes. CC ID 00193 Data and Information Management Preventive
    Process personal data for academic purposes or religious purposes. CC ID 00194 Data and Information Management Preventive
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Data and Information Management Preventive
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Data and Information Management Preventive
    Follow legal obligations while processing personal data. CC ID 04794 Data and Information Management Preventive
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Data and Information Management Preventive
    Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 Data and Information Management Preventive
    Process personal data absent consent in order to protect vital interests of the data subject. CC ID 14012 Process or Activity Preventive
    Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 Data and Information Management Preventive
    Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 Data and Information Management Preventive
    Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 Data and Information Management Preventive
    Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 Data and Information Management Preventive
    Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 Data and Information Management Preventive
    Process personal data absent consent in order to perform a contract. CC ID 13586 Data and Information Management Preventive
    Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 Data and Information Management Preventive
    Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 Data and Information Management Preventive
    Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 Data and Information Management Preventive
    Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 Data and Information Management Preventive
    Process personal data absent consent when it is needed by law. CC ID 13577 Data and Information Management Preventive
    Process personal data absent consent when it is from publicly available information. CC ID 13576 Data and Information Management Preventive
    Process personal data absent consent if its use is consistent with the purposes. CC ID 13575 Data and Information Management Preventive
    Process personal data absent consent when produced for business purposes. CC ID 13563 Data and Information Management Preventive
    Process personal data absent consent for handling insurance claims. CC ID 13561 Data and Information Management Preventive
    Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 Data and Information Management Preventive
    Process personal data absent consent for life-threatening emergencies. CC ID 13558 Data and Information Management Preventive
    Process personal data absent consent for reasonable investigative purposes. CC ID 13557 Data and Information Management Preventive
    Notify the data subject before personal data is collected, used, or disclosed. CC ID 00132 Behavior Preventive
    Define security breach notification requirement exceptions. CC ID 04797 Establish/Maintain Documentation Preventive
    Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 Communicate Corrective
    Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 Records Management Preventive
    Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 Communicate Corrective
    Disclose personal data when the data subject has given unambiguous and implicit consent. CC ID 00157 Data and Information Management Preventive
    Define what personal data is not required to be disclosed absent consent. CC ID 00134 Establish/Maintain Documentation Preventive
    Define the exceptions to disclosure absent consent. CC ID 00135 Establish/Maintain Documentation Preventive
    Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 Data and Information Management Detective
    Define opt-out exceptions for disclosing personal data. CC ID 00159 Establish/Maintain Documentation Preventive
    Define how a data subject may give consent. CC ID 00160 Establish/Maintain Documentation Preventive
    Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 Data and Information Management Preventive
    Disclose personal data absent consent when the law does not require consent. CC ID 00136 Data and Information Management Preventive
    Disclose personal data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 Data and Information Management Preventive
    Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 Data and Information Management Preventive
    Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 Data and Information Management Preventive
    Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 Data and Information Management Preventive
    Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 Data and Information Management Preventive
    Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 Data and Information Management Preventive
    Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 Data and Information Management Preventive
    Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 Data and Information Management Preventive
    Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 Data and Information Management Preventive
    Disclose personal data absent consent if the disclosure is to a government institution. CC ID 13583 Data and Information Management Preventive
    Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 Data and Information Management Preventive
    Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 Data and Information Management Preventive
    Disclose personal data absent consent for handling insurance claims. CC ID 13585 Data and Information Management Preventive
    Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 Data and Information Management Preventive
    Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 Data and Information Management Preventive
    Disclose personal data absent consent to a government institution that has requested the information. CC ID 13582 Data and Information Management Preventive
    Disclose personal data absent consent if disclosure is to the next of kin or authorized representative. CC ID 13554 Data and Information Management Preventive
    Disclose personal data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 Data and Information Management Preventive
    Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 Data and Information Management Preventive
    Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 Data and Information Management Preventive
    Disclose personal data absent consent in order to perform a contract. CC ID 00139 Data and Information Management Preventive
    Disclose personal data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 Data and Information Management Preventive
    Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 Data and Information Management Preventive
    Disclose personal data absent consent when the personal data prevents life-threatening emergencies to third parties. CC ID 00142 Data and Information Management Preventive
    Disclose personal data absent consent when the personal data preserves human life at sea. CC ID 00143 Data and Information Management Preventive
    Disclose personal data absent consent in order to process the personal data for public interests. CC ID 00144 Data and Information Management Preventive
    Disclose personal data for public interests absent consent in order to provide social work assistance services. CC ID 00145 Data and Information Management Preventive
    Disclose personal data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 Data and Information Management Preventive
    Disclose personal data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 Data and Information Management Preventive
    Disclose personal data absent consent for public economic interests. CC ID 00148 Data and Information Management Preventive
    Disclose personal data for public interests absent consent for National Security reasons. CC ID 00149 Data and Information Management Preventive
    Disclose personal data absent consent for journalistic purposes. CC ID 00150 Data and Information Management Preventive
    Disclose personal data absent consent when it is publicly accessible. CC ID 00151 Data and Information Management Preventive
    Disclose personal data absent consent when it is related to publicly available information. CC ID 00152 Data and Information Management Preventive
    Disclose publicly accessible personal data absent consent when the data subject has already published it. CC ID 00153 Data and Information Management Preventive
    Disclose personal data absent consent in order to protect the data subject's vital interests. CC ID 00154 Data and Information Management Preventive
    Disclose personal data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 Data and Information Management Preventive
    Disclose personal data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 Data and Information Management Preventive
    Disclose personal data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 Establish/Maintain Documentation Detective
    Disclose personal data absent consent when it is needed by law. CC ID 00163 Data and Information Management Preventive
    Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 Data and Information Management Preventive
    Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 Data and Information Management Preventive
    Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 Data and Information Management Preventive
    Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 Data and Information Management Preventive
    Disclose personal data absent consent when the disclosure concerns the data subject's products or services obtained from the organization. CC ID 13469 Communicate Preventive
    Establish and maintain personal data retention procedures. CC ID 00167 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Establish/Maintain Documentation Preventive
    Capture personal data removal requests. CC ID 13507 Communicate Preventive
    Remove personal data from records after receiving a personal data removal request. CC ID 11972 Records Management Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 Process or Activity Preventive
    Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 Process or Activity Preventive
    Dispose of personal data removal requests, as necessary. CC ID 13512 Business Processes Preventive
    Limit the redisclosure and reuse of personal data. CC ID 00168 Data and Information Management Preventive
    Refrain from redisclosing or reusing personal data. CC ID 00169 Data and Information Management Preventive
    Document the redisclosing personal data exceptions. CC ID 00170 Establish/Maintain Documentation Preventive
    Redisclose personal data when the data subject consents. CC ID 00171 Data and Information Management Preventive
    Redisclose personal data when it is for criminal law enforcement. CC ID 00172 Data and Information Management Preventive
    Redisclose personal data in order to protect public revenue. CC ID 00173 Data and Information Management Preventive
    Redisclose personal data in order to assist a Telecommunications Ombudsman. CC ID 00174 Data and Information Management Preventive
    Redisclose personal data in order to prevent a life-threatening emergency. CC ID 00175 Data and Information Management Preventive
    Redisclose personal data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 Data and Information Management Preventive
    Redisclose personal data in order to preserve human life at sea. CC ID 00177 Data and Information Management Preventive
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 Data and Information Management Preventive
    Obtain parental consent in order to use or disclose children's data. CC ID 00198 Data and Information Management Preventive
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Data and Information Management Preventive
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Data and Information Management Preventive
    Process Personal Identification Numbers with consent. CC ID 00239 Data and Information Management Preventive
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Behavior Preventive
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Data and Information Management Preventive
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Data and Information Management Preventive
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Data and Information Management Preventive
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Data and Information Management Preventive
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Establish/Maintain Documentation Preventive
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Data and Information Management Preventive
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Data and Information Management Preventive
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Data and Information Management Preventive
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Data and Information Management Preventive
    Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 Data and Information Management Preventive
    Establish and maintain personal data disclosure procedures. CC ID 00133 Establish/Maintain Documentation Preventive
    Review personal data disclosure requests. CC ID 07129 Data and Information Management Preventive
    Establish and maintain personal data request denial procedures. CC ID 00434 Establish/Maintain Documentation Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 Data and Information Management Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Data and Information Management Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Data and Information Management Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Data and Information Management Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Data and Information Management Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Data and Information Management Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 Data and Information Management Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Data and Information Management Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Data and Information Management Preventive
    Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 Process or Activity Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Data and Information Management Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Data and Information Management Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Data and Information Management Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Data and Information Management Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Data and Information Management Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Data and Information Management Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Data and Information Management Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Data and Information Management Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Data and Information Management Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Data and Information Management Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Data and Information Management Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Data and Information Management Preventive
    Notify the individual of the reasons the personal data access request was refused. CC ID 00453 Data and Information Management Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Communicate Preventive
    Notify individuals of their right to challenge a refusal to a personal data access request. CC ID 00454 Data and Information Management Preventive
    Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 Process or Activity Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 Data and Information Management Preventive
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Data and Information Management Preventive
    Provide personal data in a reasonable time frame. CC ID 00429 Data and Information Management Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 Communicate Preventive
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Data and Information Management Preventive
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Data and Information Management Preventive
    Extend the time limit for providing personal data if it would unreasonably interfere with the organization's activities. CC ID 13589 Data and Information Management Preventive
    Provide personal data at a cost that is not excessive. CC ID 00430 Data and Information Management Preventive
    Provide personal data in a reasonable manner. CC ID 00431 Data and Information Management Preventive
    Provide personal data in a form that is intelligible. CC ID 00432 Data and Information Management Preventive
    Provide personal data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Data and Information Management Preventive
    Provide personal data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Data and Information Management Preventive
    Remove personal data about third parties before giving the data subject access to the information. CC ID 13601 Data and Information Management Preventive
    Document that a personal data search was conducted in case the personal data cannot be found. CC ID 06953 Establish/Maintain Documentation Preventive
    Include cookie management in the privacy framework. CC ID 13809 Establish/Maintain Documentation Preventive
    Establish and maintain cookie management procedures. CC ID 13810 Establish/Maintain Documentation Preventive
    Establish and maintain a personal data collection program. CC ID 06487 Establish/Maintain Documentation Preventive
    Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 Business Processes Detective
    Establish and maintain personal data collection limitation boundaries. CC ID 00507 Establish/Maintain Documentation Preventive
    Establish and maintain a personal data use policy. CC ID 00076 Establish/Maintain Documentation Preventive
    Use personal data for specified purposes. CC ID 11831 Data and Information Management Preventive
    Post the collection purpose. CC ID 00101 Establish/Maintain Documentation Preventive
    Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 Data and Information Management Preventive
    Document each individual's personal data collection consent preferences. CC ID 06945 Establish/Maintain Documentation Preventive
    Provide explicit consent that is clear and unambiguous. CC ID 00181 Data and Information Management Preventive
    Allow individuals to change their personal data collection consent preferences. CC ID 06946 Data and Information Management Preventive
    Adhere to each individual's personal data collection consent preferences. CC ID 06947 Data and Information Management Preventive
    Notify the data subject of the source of collected personal data. CC ID 00083 Behavior Preventive
    Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 Data and Information Management Preventive
    Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 Data and Information Management Preventive
    Establish and maintain a personal data definition. CC ID 00028 Establish/Maintain Documentation Preventive
    Include an individual's name in the personal data definition. CC ID 04710 Data and Information Management Preventive
    Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 Data and Information Management Preventive
    Include a parent's legal surname prior to marriage in the personal data definition. CC ID 04686 Data and Information Management Preventive
    Include an individual's signature in the personal data definition. CC ID 04711 Data and Information Management Preventive
    Include an individual's date of birth in the personal data definition. CC ID 04770 Data and Information Management Preventive
    Include the number of children in the personal data definition. CC ID 13759 Establish/Maintain Documentation Preventive
    Include the individual's religion in the personal data definition. CC ID 13765 Establish/Maintain Documentation Preventive
    Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 Data and Information Management Preventive
    Include an individual's biometric data in the personal data definition. CC ID 04698 Data and Information Management Preventive
    Include an individual's photographic image in the personal data definition. CC ID 04779 Data and Information Management Preventive
    Include an individual's fingerprints in the personal data definition. CC ID 04689 Data and Information Management Preventive
    Include an individual's address in the personal data definition. CC ID 04687 Data and Information Management Preventive
    Include an individual's telephone number in the personal data definition. CC ID 04688 Data and Information Management Preventive
    Include an individual's fax number in the personal data definition. CC ID 07120 Data and Information Management Preventive
    Include an individual's political party affiliation in the personal data definition. CC ID 13764 Establish/Maintain Documentation Preventive
    Include an individual's license plate number in the personal data definition. CC ID 13763 Establish/Maintain Documentation Preventive
    Include an individual's financial account number in the personal data definition. CC ID 04692 Data and Information Management Preventive
    Include an individual's account balances in the personal data definition. CC ID 13770 Establish/Maintain Documentation Preventive
    Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 Data and Information Management Preventive
    Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 Data and Information Management Preventive
    Include an individual's logon credentials in the personal data definition. CC ID 13771 Establish/Maintain Documentation Preventive
    Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 Data and Information Management Preventive
    Include an individual's passport number in the personal data definition. CC ID 04713 Data and Information Management Preventive
    Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 Data and Information Management Preventive
    Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 Data and Information Management Preventive
    Include an individual's military identification number in the personal data definition. CC ID 13083 Establish/Maintain Documentation Preventive
    Include an individual's e-mail address in the personal data definition. CC ID 04696 Data and Information Management Preventive
    Include electronic signatures in the personal data definition. CC ID 04697 Data and Information Management Preventive
    Include an individual's payment card information in the personal data definition. CC ID 04751 Data and Information Management Preventive
    Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 Data and Information Management Preventive
    Include an individual's payment card service code in the personal data definition. CC ID 04753 Data and Information Management Preventive
    Include an individual's payment card expiration date in the personal data definition. CC ID 04755 Data and Information Management Preventive
    Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 Data and Information Management Preventive
    Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 Data and Information Management Preventive
    Include an individual's medical history in the personal data definition. CC ID 04701 Data and Information Management Preventive
    Include an individual's medical treatment in the personal data definition. CC ID 04702 Data and Information Management Preventive
    Include an individual's medical diagnosis in the personal data definition. CC ID 04703 Data and Information Management Preventive
    Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 Data and Information Management Preventive
    Include an individual's medical record numbers in the personal data definition. CC ID 07121 Data and Information Management Preventive
    Include an individual's health insurance information in the personal data definition. CC ID 04705 Data and Information Management Preventive
    Include an individual's health insurance policy number in the personal data definition. CC ID 04706 Data and Information Management Preventive
    Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 Data and Information Management Preventive
    Include an individual's education information in the personal data definition. CC ID 04714 Data and Information Management Preventive
    Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 Data and Information Management Preventive
    Include an individual's employment information in the personal data definition. CC ID 04715 Data and Information Management Preventive
    Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 Data and Information Management Preventive
    Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 Data and Information Management Preventive
    Include an individual's employment history in the personal data definition. CC ID 04716 Data and Information Management Preventive
    Include an individual's place of employment in the personal data definition. CC ID 04765 Data and Information Management Preventive
    Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 Data and Information Management Preventive
    Include an individual's property information in the personal data definition. CC ID 04780 Data and Information Management Preventive
    Include an individual's property title in the personal data definition. CC ID 04781 Data and Information Management Preventive
    Include an individual's vehicle registration in the personal data definition. CC ID 04782 Data and Information Management Preventive
    Include hardware asset identification information in the personal data definition. CC ID 07123 Data and Information Management Preventive
    Include MAC addresses in the personal data definition. CC ID 04778 Data and Information Management Preventive
    Include Internet Protocol addresses in the personal data definition. CC ID 04777 Data and Information Management Preventive
    Include asset serial numbers in the personal data definition. CC ID 07124 Data and Information Management Preventive
    Include Uniform Resource Locators in the personal data definition. CC ID 07125 Data and Information Management Preventive
    Refrain from including publicly available information in the personal data definition. CC ID 13084 Establish/Maintain Documentation Preventive
    Define specially restricted data. CC ID 00037 Data and Information Management Preventive
    Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 Data and Information Management Preventive
    Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 Data and Information Management Preventive
    Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 Data and Information Management Preventive
    Implement a nondiscrimination principle. CC ID 00081 Data and Information Management Preventive
    Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 Data and Information Management Preventive
    Preserve each individual's right to human dignity. CC ID 00082 Data and Information Management Preventive
    Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 Data and Information Management Preventive
    Employ a Random Number Generator to create Personal Identification Numbers, as necessary. CC ID 13782 Technical Security Preventive
    Collect Personal Identification Numbers with the individual's consent. CC ID 00059 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 Data and Information Management Preventive
    Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 Data and Information Management Preventive
    Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 Behavior Preventive
    Manage health data collection. CC ID 00050 Data and Information Management Preventive
    Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 Data and Information Management Preventive
    Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 Data and Information Management Preventive
    Collect Individually Identifiable Health Information for research. CC ID 00054 Data and Information Management Preventive
    Remove personal data before disclosing health data. CC ID 00055 Data and Information Management Preventive
    Give special attention to collecting children's data. CC ID 00038 Data and Information Management Preventive
    Use simple understandable language to collect information from children. CC ID 00039 Behavior Preventive
    Notify parents of what information is collected from children. CC ID 00040 Establish/Maintain Documentation Preventive
    Obtain parental consent before collecting information from children. CC ID 00041 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to request the parent's information to obtain consent. CC ID 00044 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to protect the child's safety. CC ID 00046 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to take liability precautions. CC ID 00047 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to respond to a judicial process. CC ID 00048 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 Data and Information Management Preventive
    Waive verifiable parental consent for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 Data and Information Management Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Establish/Maintain Documentation Preventive
    Collect personal data directly from the data subject. CC ID 00011 Data and Information Management Preventive
    Create and manage user account aliases to maintain pseudonymity. CC ID 04549 Data and Information Management Preventive
    Provide unlinkability for users and resources. CC ID 04550 Data and Information Management Preventive
    Provide unobservability of users and resources. CC ID 04551 Technical Security Preventive
    Confirm the data quality of personal data collected from third parties. CC ID 13510 Investigate Detective
    Collect personal data in a fair and lawful manner. CC ID 00010 Data and Information Management Preventive
    Collect personal data absent consent for specific and well-documented circumstances. CC ID 00013 Data and Information Management Preventive
    Collect personal data absent consent when the data collection is in the data subject's interests and consent cannot be obtained in a timely manner. CC ID 00014 Data and Information Management Preventive
    Collect personal data absent consent when consent compromises data accuracy. CC ID 00015 Data and Information Management Preventive
    Collect personal data absent consent in order to make a disclosure. CC ID 13550 Data and Information Management Preventive
    Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 Data and Information Management Preventive
    Collect personal data absent consent if collection is consistent with the purposes. CC ID 13548 Data and Information Management Preventive
    Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 Data and Information Management Preventive
    Collect personal data absent consent for handling insurance claims. CC ID 13543 Data and Information Management Preventive
    Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 Data and Information Management Preventive
    Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 Data and Information Management Preventive
    Collect personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 Data and Information Management Preventive
    Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 Data and Information Management Preventive
    Collect personal data absent consent from publicly available information. CC ID 00019 Data and Information Management Preventive
    Collect personal data absent consent when needed by law. CC ID 00020 Data and Information Management Preventive
    Collect personal data absent consent when no potential harm can come to the data subject. CC ID 00021 Data and Information Management Preventive
    Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 Data and Information Management Preventive
    Collect the minimum amount of personal data necessary. CC ID 00078 Data and Information Management Preventive
    Collect personal data in a proper information framework. CC ID 00009 Data and Information Management Preventive
    Collect and record personal data for specific, explicit, and legitimate purposes. CC ID 00027 Data and Information Management Preventive
    Collect personal data when an individual gives consent. CC ID 00030 Data and Information Management Preventive
    Collect personal data when required by law. CC ID 00031 Data and Information Management Preventive
    Collect personal data to prevent life-threatening emergencies. CC ID 00032 Data and Information Management Preventive
    Collect personal data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 Data and Information Management Preventive
    Collect personal data for legal purposes. CC ID 00036 Data and Information Management Preventive
    Review the methods for collecting personal data, as necessary. CC ID 13511 Investigate Detective
    Provide the data subject with information about the data controller during the collection process. CC ID 00023 Establish/Maintain Documentation Preventive
    Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 Communicate Preventive
    Provide the data subject with the data collector's name and contact information. CC ID 00024 Establish/Maintain Documentation Preventive
    Provide the data subject with the name of the data collector who will hold the collected personal data. CC ID 00025 Establish/Maintain Documentation Preventive
    Provide the data subject with the third party processor's contact information when the data controller is not processing the personal data. CC ID 00026 Establish/Maintain Documentation Preventive
    Establish and maintain a data handling program. CC ID 13427 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Establish/Maintain Documentation Preventive
    Establish and maintain data and information confidentiality policies. CC ID 00361 Establish/Maintain Documentation Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Data and Information Management Preventive
    Protect electronic messaging information. CC ID 12022 Technical Security Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Data and Information Management Preventive
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Configuration Preventive
    Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 Testing Detective
    Store payment card data in secure chips, if possible. CC ID 13065 Configuration Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Configuration Preventive
    Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 Technical Security Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Data and Information Management Preventive
    Log the disclosure of personal data. CC ID 06628 Log Management Preventive
    Log the modification of personal data. CC ID 11844 Log Management Preventive
    Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 Technical Security Preventive
    Implement security measures to protect personal data. CC ID 13606 Technical Security Preventive
    Implement physical controls to protect personal data. CC ID 00355 Testing Preventive
    Limit data leakage. CC ID 00356 Data and Information Management Preventive
    Conduct personal data risk assessments. CC ID 00357 Testing Detective
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Business Processes Preventive
    Establish and maintain suspicious document procedures. CC ID 04852 Establish/Maintain Documentation Detective
    Establish and maintain suspicious personal data procedures. CC ID 04853 Data and Information Management Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Data and Information Management Detective
    Establish and maintain suspicious user account activity procedures. CC ID 04854 Monitor and Evaluate Occurrences Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Investigate Detective
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Behavior Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Data and Information Management Detective
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Log Management Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Monitor and Evaluate Occurrences Corrective
    Log dates for account name changes or address changes. CC ID 04876 Log Management Detective
    Review accounts that are changed for additional user requests. CC ID 11846 Monitor and Evaluate Occurrences Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Data and Information Management Detective
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Acquisition/Sale of Assets or Services Preventive
    Search the Internet for evidence of data leakage. CC ID 10419 Process or Activity Detective
    Review monitored websites for data leakage. CC ID 10593 Monitor and Evaluate Occurrences Detective
    Establish and maintain caller identification controls. CC ID 04790 Establish/Maintain Documentation Preventive
    Establish and maintain de-identifying and re-identifying procedures. CC ID 07126 Data and Information Management Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Data and Information Management Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Data and Information Management Preventive
    Establish and maintain data handling procedures. CC ID 11756 Establish/Maintain Documentation Preventive
    Define personal data that falls under breach notification rules. CC ID 00800 Establish/Maintain Documentation Preventive
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Data and Information Management Preventive
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Data and Information Management Preventive
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Data and Information Management Preventive
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Data and Information Management Preventive
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Data and Information Management Preventive
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Data and Information Management Preventive
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Data and Information Management Preventive
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Data and Information Management Preventive
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Data and Information Management Preventive
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Data and Information Management Preventive
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Data and Information Management Preventive
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Data and Information Management Preventive
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Data and Information Management Preventive
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Data and Information Management Preventive
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Data and Information Management Preventive
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Data and Information Management Preventive
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Data and Information Management Preventive
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Data and Information Management Preventive
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Data and Information Management Preventive
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Data and Information Management Preventive
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Data and Information Management Preventive
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Data and Information Management Preventive
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Data and Information Management Preventive
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Data and Information Management Preventive
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Data and Information Management Preventive
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Data and Information Management Preventive
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Data and Information Management Preventive
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Data and Information Management Preventive
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Data and Information Management Preventive
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Data and Information Management Preventive
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Data and Information Management Preventive
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Data and Information Management Preventive
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Data and Information Management Preventive
    Define an out of scope privacy breach. CC ID 04677 Establish/Maintain Documentation Preventive
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Business Processes Preventive
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Monitor and Evaluate Occurrences Preventive
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Monitor and Evaluate Occurrences Preventive
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Monitor and Evaluate Occurrences Preventive
    Conduct internal data processing audits. CC ID 00374 Testing Detective
    Establish and maintain a personal data transfer program. CC ID 00307 Establish/Maintain Documentation Preventive
    Obtain consent from an individual prior to transferring personal data. CC ID 06948 Data and Information Management Preventive
    Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 Establish/Maintain Documentation Preventive
    Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 Business Processes Preventive
    Notify data subjects when their personal data is transferred. CC ID 00352 Behavior Preventive
    Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 Establish/Maintain Documentation Preventive
    Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 Data and Information Management Preventive
    Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 Data and Information Management Preventive
    Prohibit the transfer of personal data when security is inadequate. CC ID 00345 Data and Information Management Preventive
    Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 Data and Information Management Preventive
    Refrain from transferring past the first transfer. CC ID 00347 Data and Information Management Preventive
    Document transfer disagreements by the data subject in writing. CC ID 00348 Establish/Maintain Documentation Preventive
    Allow the data subject the right to object to the personal data transfer. CC ID 00349 Data and Information Management Preventive
    Follow the instructions of the data transferrer. CC ID 00334 Behavior Preventive
    Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 Establish/Maintain Documentation Preventive
    Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 Data and Information Management Preventive
    Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 Data and Information Management Preventive
    Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 Data and Information Management Preventive
    Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 Data and Information Management Preventive
    Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 Data and Information Management Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 Data and Information Management Preventive
    Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 Data and Information Management Preventive
    Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 Data and Information Management Preventive
    Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 Data and Information Management Preventive
    Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 Data and Information Management Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 Data and Information Management Preventive
    Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 Data and Information Management Preventive
    Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 Business Processes Preventive
    Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 Establish/Maintain Documentation Preventive
    Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 Data and Information Management Preventive
    Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 Data and Information Management Preventive
    Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 Data and Information Management Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 Data and Information Management Preventive
    Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 Data and Information Management Preventive
    Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 Data and Information Management Preventive
    Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 Data and Information Management Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 Data and Information Management Preventive
    Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 Communicate Preventive
    Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 Behavior Preventive
    Establish and maintain Internet interactivity data transfer procedures. CC ID 06949 Establish/Maintain Documentation Preventive
    Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 Data and Information Management Preventive
    Obtain consent prior to downloading software to an individual's computer. CC ID 06951 Data and Information Management Preventive
    Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000 Process or Activity Preventive
    Remove or uninstall software from an individual's computer, as necessary. CC ID 13998 Process or Activity Preventive
    Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997 Process or Activity Preventive
    Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 Data and Information Management Preventive
    Establish and maintain a privacy impact assessment, as necessary. CC ID 13712 Establish/Maintain Documentation Preventive
    Review compliance with the organization's privacy objectives. CC ID 13490
    [{security requirements} Allocate security and privacy requirements to the system and to the environment of operation. TASK P-17
    {are acceptable} {security posture} Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable. Task M-6]
    Human Resources Management Detective
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Data and Information Management Preventive
    Implement procedures to file privacy rights violation complaints. CC ID 00476 Data and Information Management Corrective
    File privacy rights violation complaints in writing. CC ID 00477 Establish/Maintain Documentation Corrective
    Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 Behavior Corrective
    File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 Behavior Corrective
    Change or destroy any personal data that is incorrect. CC ID 00462 Data and Information Management Corrective
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Behavior Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Data and Information Management Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Data and Information Management Corrective
    Establish and maintain a privacy dispute resolution program. CC ID 12526 Establish/Maintain Documentation Preventive
    Include potential remedies in the privacy dispute resolution program. CC ID 12531 Establish/Maintain Documentation Preventive
    Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 Establish/Maintain Documentation Preventive
    Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 Establish/Maintain Documentation Preventive
    Document unresolved challenges. CC ID 13568 Establish/Maintain Documentation Preventive
    Establish and maintain an accuracy resolution policy. CC ID 00460 Establish/Maintain Documentation Preventive
    Notify individuals of their right to challenge personal data. CC ID 00457 Data and Information Management Preventive
    Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 Data and Information Management Preventive
    Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 Configuration Preventive
    Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 Human Resources Management Preventive
    Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 Data and Information Management Preventive
    Investigate the disputed accuracy of personal data. CC ID 00461 Data and Information Management Preventive
    Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 Behavior Corrective
    Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 Behavior Corrective
    Notify third parties of unresolved challenges. CC ID 13559 Communicate Preventive
    Document disagreements as to whether personal data is complete and accurate. CC ID 06952 Establish/Maintain Documentation Preventive
    Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 Establish/Maintain Documentation Preventive
    Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 Data and Information Management Corrective
    Investigate privacy rights violation complaints. CC ID 00480 Behavior Detective
    Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 Behavior Detective
    Include the allegations against the organization in the notice of investigation. CC ID 13031 Establish/Maintain Documentation Preventive
    Investigate privacy rights violation complaints in private. CC ID 00492 Behavior Detective
    Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 Behavior Detective
    Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 Behavior Detective
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 Behavior Preventive
    Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 Behavior Preventive
    Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 Behavior Preventive
    Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 Behavior Preventive
    Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 Behavior Preventive
    Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 Behavior Preventive
    Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 Communicate Corrective
    Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 Establish/Maintain Documentation Corrective
    Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 Behavior Corrective
    Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 Establish/Maintain Documentation Detective
    Order the organization to change to be in compliance with applicable law. CC ID 00499 Behavior Corrective
    Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 Behavior Corrective
    Award damages based on applicable law. CC ID 00501 Behavior Corrective
    Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 Data and Information Management Corrective
    Define the organization's liability based on the applicable law. CC ID 00504 Establish/Maintain Documentation Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Establish/Maintain Documentation Preventive
    Define the appeal process based on the applicable law. CC ID 00506 Establish/Maintain Documentation Preventive
    Provide notice of proposed penalties. CC ID 06216 Establish/Maintain Documentation Preventive
    Notify the public and other agencies after a penalty becomes final. CC ID 06217 Behavior Preventive
    Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 Testing Detective
  • Records management
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Records management CC ID 00902 IT Impact Zone IT Impact Zone
    Establish and maintain records management procedures used to manage organizational records. CC ID 11619 Establish/Maintain Documentation Preventive
    Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988
    [Identify the types of information to be processed, stored, and transmitted by the system. TASK P-12
    Identify the types of information to be processed, stored, and transmitted by the system. TASK P-12
    Identify the types of information to be processed, stored, and transmitted by the system. TASK P-12]
    Business Processes Detective
    Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 Process or Activity Detective
    Review the electronic storage media for the information the organization collects and processes. CC ID 13009 Process or Activity Detective
  • Systems design, build, and implementation
    58
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Systems design, build, and implementation CC ID 00989 IT Impact Zone IT Impact Zone
    Establish and maintain a System Development Life Cycle program. CC ID 11823
    [Identify and understand all stages of the information life cycle for each information type processed, stored, or transmitted by the system. TASK P-13]
    Systems Design, Build, and Implementation Preventive
    Perform a feasibility study for product requests. CC ID 06895 Acquisition/Sale of Assets or Services Preventive
    Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 Acquisition/Sale of Assets or Services Preventive
    Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069 Human Resources Management Preventive
    Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045 Establish/Maintain Documentation Preventive
    Include information security throughout the system development life cycle. CC ID 12042 Systems Design, Build, and Implementation Preventive
    Protect confidential information during the system development life cycle program. CC ID 13479 Data and Information Management Preventive
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems Design, Build, and Implementation Preventive
    Establish and maintain system design requirements. CC ID 06618 Establish/Maintain Documentation Preventive
    Identify all stakeholders who may influence the System Development Life Cycle. CC ID 06922
    [Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system. TASK P-9]
    Establish/Maintain Documentation Detective
    Document stakeholder requirements and how they influence system design requirements. CC ID 06925 Establish/Maintain Documentation Preventive
    Document legal requirements and how they influence system design requirements. CC ID 11793 Establish/Maintain Documentation Preventive
    Establish and maintain a system design project management framework. CC ID 00990 Establish/Maintain Documentation Preventive
    Analyze existing systems during preliminary investigations for system design projects. CC ID 01043
    [Document the characteristics of the system. TASK C-1]
    Testing Detective
    Identify existing systems during preliminary investigations for system design projects. CC ID 01044 Systems Design, Build, and Implementation Detective
    Analyze the proposed effects of modifications or additions on the existing systems during the preliminary investigation of system design projects. CC ID 01045 Systems Design, Build, and Implementation Detective
    Assess the continuity requirements during the planning and development stage for new products and services. CC ID 12779 Process or Activity Preventive
    Establish, implement, and maintain a system requirements specification. CC ID 01035 Systems Design, Build, and Implementation Preventive
    Include pertinent legal requirements in the system requirements specification. CC ID 01037 Systems Design, Build, and Implementation Detective
    Include privacy policy requirements in the system requirements specification. CC ID 01040
    [{security requirements} Define the security and privacy requirements for the system and the environment of operation. TASK P-15]
    Systems Design, Build, and Implementation Detective
    Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 Systems Design, Build, and Implementation Preventive
    Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 Systems Design, Build, and Implementation Preventive
    Develop new products based on best practices. CC ID 01095 Systems Design, Build, and Implementation Preventive
    Establish and maintain a system design specification. CC ID 04557 Establish/Maintain Documentation Preventive
    Include security requirements in the system design specification. CC ID 06826
    [{security requirements} Define the security and privacy requirements for the system and the environment of operation. TASK P-15
    {security requirements} Allocate security and privacy requirements to the system and to the environment of operation. TASK P-17]
    Systems Design, Build, and Implementation Preventive
    Establish access control procedures for the test environment that match those of the production environment. CC ID 06793 Establish/Maintain Documentation Preventive
    Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 Monitor and Evaluate Occurrences Detective
    Implement security controls when developing systems. CC ID 06270
    [{security controls} Allocate security and privacy controls to the system and to the environment of operation. TASK S-3]
    Systems Design, Build, and Implementation Preventive
    Analyze and minimize attack surfaces when developing systems. CC ID 06828 Systems Design, Build, and Implementation Preventive
    Implement a hardware security module, as necessary. CC ID 12222 Systems Design, Build, and Implementation Preventive
    Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 Systems Design, Build, and Implementation Preventive
    Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 Systems Design, Build, and Implementation Preventive
    Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 Systems Design, Build, and Implementation Preventive
    Design the hardware security module to enforce the separation between applications. CC ID 12254 Systems Design, Build, and Implementation Preventive
    Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 Systems Design, Build, and Implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 Systems Design, Build, and Implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 Systems Design, Build, and Implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 Systems Design, Build, and Implementation Preventive
    Design the hardware security module to erase sensitive data when compromised. CC ID 12275 Systems Design, Build, and Implementation Preventive
    Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 Systems Design, Build, and Implementation Preventive
    Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 Systems Design, Build, and Implementation Preventive
    Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 Establish/Maintain Documentation Preventive
    Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 Systems Design, Build, and Implementation Preventive
    Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 Systems Design, Build, and Implementation Preventive
    Establish and maintain an acceptable use policy for the hardware security module. CC ID 12247 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 Establish/Maintain Documentation Preventive
    Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 Establish/Maintain Documentation Preventive
    Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 Establish/Maintain Documentation Preventive
    Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 Establish/Maintain Documentation Preventive
    Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 Establish/Maintain Documentation Preventive
    Install secret information into the hardware security module during manufacturing. CC ID 12249 Systems Design, Build, and Implementation Preventive
    Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 Systems Design, Build, and Implementation Preventive
    Install secret information under dual control into the hardware security module. CC ID 12257 Systems Design, Build, and Implementation Preventive
    Initiate the System Development Life Cycle implementation phase. CC ID 06268 Systems Design, Build, and Implementation Preventive
    Establish and maintain a system implementation standard. CC ID 01111 Establish/Maintain Documentation Preventive
    Plan and document the Certification and Accreditation process. CC ID 11767 Establish/Maintain Documentation Preventive
    Submit the information system's security authorization package to the appropriate stakeholders, as necessary. CC ID 13987
    [Assemble the authorization package and submit the package to the authorizing official for an authorization decision. TASK R-1]
    Establish/Maintain Documentation Preventive
Common Controls and
mandates by Type
64 Mandated Controls - bold    
66 Implied Controls - italic     1449 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
1579 Total
  • Acquisition/Sale of Assets or Services
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Transfer legal ownership of assets when the system is redeployed to a third party. CC ID 06698 Operational management Preventive
    Perform a feasibility study for product requests. CC ID 06895 Systems design, build, and implementation Preventive
    Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 Systems design, build, and implementation Preventive
    Acquire products or services. CC ID 11450 Acquisition or sale of facilities, technology, and services Preventive
    Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 Privacy protection for information and data Preventive
  • Actionable Reports or Measurements
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Audits and risk management Detective
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [{security posture} Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy. TASK M-5
    {security posture} Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy. TASK M-5]
    Monitoring and measurement Corrective
  • Audits and Risk Management
    37
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102
    [Select the appropriate assessor or assessment team for the type of control assessment to be conducted. TASK A-1]
    Audits and risk management Preventive
    Audit in scope audit items and compliance documents as defined in the audit scope. CC ID 06730 Audits and risk management Preventive
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and risk management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and risk management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and risk management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and risk management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and risk management Detective
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443
    [Categorize the system and document the security categorization results. TASK C-2
    Categorize the system and document the security categorization results. TASK C-2
    Prioritize organizational systems with the same impact level. TASK P-6]
    Audits and risk management Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and risk management Preventive
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and risk management Preventive
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and risk management Preventive
    Conduct external audits of the organization's risk assessment. CC ID 13308 Audits and risk management Detective
    Conduct external audits of the organization's risk assessment within any mandated timeframes. CC ID 13310 Audits and risk management Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Preventive
    Conduct a Business Impact Analysis based on the risk assessment findings in the risk assessment report. CC ID 01147 Audits and risk management Detective
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis. TASK P-3
    Determine if the risk from the operation or use of the information system or the provision or use of common controls is acceptable. TASK R-4
    Analyze and determine the risk from the operation or use of the system or the provision of common controls. TASK R-2]
    Audits and risk management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and risk management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and risk management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463 Audits and risk management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464 Audits and risk management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and risk management Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and risk management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and risk management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and risk management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469 Audits and risk management Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and risk management Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707
    [Select the controls for the system and the environment of operation. TASK S-1
    Tailor the controls selected for the system and the environment of operation. TASK S-2
    Tailor the controls selected for the system and the environment of operation. TASK S-2]
    Audits and risk management Preventive
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and risk management Preventive
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and risk management Preventive
    Identify the planned actions and controls that address high risk. CC ID 12835 Audits and risk management Preventive
    Identify the current actions and controls that address high risk. CC ID 12834 Audits and risk management Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and risk management Preventive
    Address operational anomalies within the incident management system. CC ID 11633 Monitoring and measurement Preventive
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Monitoring and measurement Preventive
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424 Monitoring and measurement Preventive
    Verify segmentation controls are operational and effective. CC ID 12545 Monitoring and measurement Detective
    Conduct external audits of the organization's physical security plan. CC ID 13314 Physical and environmental protection Detective
  • Behavior
    70
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Leadership and high level objectives Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Audits and risk management Preventive
    Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 Monitoring and measurement Preventive
    Do not intercept communications of any kind when providing a service to clients. CC ID 09985 Monitoring and measurement Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Monitoring and measurement Preventive
    Establish and maintain testing programs, necessary. CC ID 00654 Monitoring and measurement Preventive
    Establish, implement, and maintain a penetration test program. CC ID 01105 Monitoring and measurement Preventive
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 Monitoring and measurement Corrective
    Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 Physical and environmental protection Preventive
    Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 Physical and environmental protection Preventive
    Manage constituent identification inside the facility. CC ID 02215 Physical and environmental protection Preventive
    Issue visitor identification badges to all non-employees. CC ID 00543 Physical and environmental protection Preventive
    Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 Physical and environmental protection Preventive
    Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 Physical and environmental protection Preventive
    Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 Physical and environmental protection Preventive
    Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 Physical and environmental protection Preventive
    Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 Physical and environmental protection Preventive
    Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 Physical and environmental protection Preventive
    Require removable storage media be in the custody of an authorized individual. CC ID 12319 Physical and environmental protection Preventive
    Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 Physical and environmental protection Preventive
    Require the return of all assets upon notification an individual is terminated. CC ID 06679 Physical and environmental protection Preventive
    Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 Physical and environmental protection Preventive
    Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 Physical and environmental protection Preventive
    Prohibit the use of computers with camera capability near restricted data or restricted information, absent authorization. CC ID 04598 Physical and environmental protection Preventive
    Notify customers about payment card usage security measures. CC ID 06407 Physical and environmental protection Preventive
    Notify organizational unit leaders prior to when the system is redeployed or the system is disposed. CC ID 06400 Operational management Preventive
    Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 Privacy protection for information and data Preventive
    Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 Privacy protection for information and data Preventive
    Notify the supervisory authority. CC ID 00472 Privacy protection for information and data Preventive
    Notify the data subject of the collection purpose. CC ID 00095 Privacy protection for information and data Preventive
    Notify the data subject of the consequences for not providing personal data. CC ID 00104 Privacy protection for information and data Preventive
    Notify the data subject of changes to personal data use. CC ID 00105 Privacy protection for information and data Preventive
    Obtain the data subject's consent when the personal data use changes. CC ID 11832 Privacy protection for information and data Preventive
    Respond to personal data access requests in a timely manner. CC ID 00421 Privacy protection for information and data Preventive
    Notify the individual of the reasons for delays in responding to personal data access requests. CC ID 00422 Privacy protection for information and data Detective
    Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 Privacy protection for information and data Detective
    Notify the data subject after personal data is used or disclosed. CC ID 06247 Privacy protection for information and data Preventive
    Notify the data subject before personal data is collected, used, or disclosed. CC ID 00132 Privacy protection for information and data Preventive
    Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 Privacy protection for information and data Preventive
    Notify the data subject of the source of collected personal data. CC ID 00083 Privacy protection for information and data Preventive
    Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 Privacy protection for information and data Preventive
    Use simple understandable language to collect information from children. CC ID 00039 Privacy protection for information and data Preventive
    Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 Privacy protection for information and data Detective
    Notify data subjects when their personal data is transferred. CC ID 00352 Privacy protection for information and data Preventive
    Follow the instructions of the data transferrer. CC ID 00334 Privacy protection for information and data Preventive
    Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350 Privacy protection for information and data Preventive
    Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 Privacy protection for information and data Corrective
    File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 Privacy protection for information and data Corrective
    Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 Privacy protection for information and data Corrective
    Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 Privacy protection for information and data Corrective
    Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 Privacy protection for information and data Corrective
    Investigate privacy rights violation complaints. CC ID 00480 Privacy protection for information and data Detective
    Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 Privacy protection for information and data Detective
    Investigate privacy rights violation complaints in private. CC ID 00492 Privacy protection for information and data Detective
    Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 Privacy protection for information and data Detective
    Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 Privacy protection for information and data Detective
    Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 Privacy protection for information and data Preventive
    Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 Privacy protection for information and data Preventive
    Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 Privacy protection for information and data Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 Privacy protection for information and data Preventive
    Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 Privacy protection for information and data Preventive
    Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 Privacy protection for information and data Preventive
    Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 Privacy protection for information and data Preventive
    Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 Privacy protection for information and data Preventive
    Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 Privacy protection for information and data Preventive
    Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 Privacy protection for information and data Corrective
    Order the organization to change to be in compliance with applicable law. CC ID 00499 Privacy protection for information and data Corrective
    Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 Privacy protection for information and data Corrective
    Award damages based on applicable law. CC ID 00501 Privacy protection for information and data Corrective
    Notify the public and other agencies after a penalty becomes final. CC ID 06217 Privacy protection for information and data Preventive
  • Business Processes
    50
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze the business environment in which the organization operates. CC ID 12798 Leadership and high level objectives Preventive
    Analyze the external environment in which the organization operates. CC ID 12799 Leadership and high level objectives Preventive
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688
    [Identify assets that require protection. TASK P-10]
    Leadership and high level objectives Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Audits and risk management Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Audits and risk management Preventive
    Evaluate the cyber insurance market. CC ID 12695 Audits and risk management Preventive
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Audits and risk management Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Audits and risk management Preventive
    Address operational anomalies within the problem management system. CC ID 00589 Monitoring and measurement Detective
    Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 Monitoring and measurement Preventive
    Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 Physical and environmental protection Preventive
    Transport restricted media using a delivery method that can be tracked. CC ID 11777 Physical and environmental protection Preventive
    Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 Physical and environmental protection Preventive
    Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 Physical and environmental protection Preventive
    Establish and maintain a baseline of internal controls. CC ID 12415
    [Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles. TASK P-4
    {security control inheritance} Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems. TASK P-5]
    Operational management Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004
    [{are acceptable} {security posture} Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable. Task M-6]
    Operational management Preventive
    Establish and maintain an Asset Management program. CC ID 06630 Operational management Preventive
    Dispose of hardware and software at their life cycle end. CC ID 06278
    [Implement a system disposal strategy and execute required actions when a system is removed from operation. Task M-7]
    Operational management Preventive
    Refrain from placing assets being disposed into organizational dumpsters. CC ID 12200 Operational management Preventive
    Remove asset tags prior to disposal of an asset. CC ID 12198 Operational management Preventive
    Establish and maintain a customer service business function. CC ID 00847
    [Identify the missions, business functions, and mission/business processes that the system is intended to support. TASK P-8]
    Operational management Preventive
    Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988
    [Identify the types of information to be processed, stored, and transmitted by the system. TASK P-12
    Identify the types of information to be processed, stored, and transmitted by the system. TASK P-12
    Identify the types of information to be processed, stored, and transmitted by the system. TASK P-12]
    Records management Detective
    Register new systems with the program office or other applicable stakeholder. CC ID 13986
    [{program offices} Register the system with organizational program or management offices. TASK P-18]
    Acquisition or sale of facilities, technology, and services Preventive
    Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 Privacy protection for information and data Preventive
    Provide the data subject with the data protection officer's contact information. CC ID 12573 Privacy protection for information and data Preventive
    Refrain from charging a fee to implement an opt-out request. CC ID 13877 Privacy protection for information and data Preventive
    Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 Privacy protection for information and data Preventive
    Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 Privacy protection for information and data Preventive
    Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 Privacy protection for information and data Preventive
    Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 Privacy protection for information and data Preventive
    Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 Privacy protection for information and data Preventive
    Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals trade union membership. CC ID 12583 Privacy protection for information and data Preventive
    Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 Privacy protection for information and data Preventive
    Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 Privacy protection for information and data Preventive
    Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 Privacy protection for information and data Preventive
    Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 Privacy protection for information and data Preventive
    Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 Privacy protection for information and data Preventive
    Refrain from processing personal data when it reveals political opinions. CC ID 12575 Privacy protection for information and data Preventive
    Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 Privacy protection for information and data Preventive
    Refrain from processing personal data for marketing or advertising to children. CC ID 14010 Privacy protection for information and data Preventive
    Dispose of personal data removal requests, as necessary. CC ID 13512 Privacy protection for information and data Preventive
    Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488 Privacy protection for information and data Detective
    Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 Privacy protection for information and data Preventive
    Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 Privacy protection for information and data Preventive
    Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528 Privacy protection for information and data Preventive
    Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527 Privacy protection for information and data Preventive
  • Communicate
    55
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Audits and risk management Preventive
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Audits and risk management Preventive
    Disseminate and communicate information to customers about clock synchronization methods used by the organization, as necessary. CC ID 13044 Monitoring and measurement Preventive
    Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 Monitoring and measurement Preventive
    Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 Monitoring and measurement Preventive
    Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 Monitoring and measurement Detective
    Report damaged property to interested personnel or affected parties. CC ID 13702 Physical and environmental protection Corrective
    Disseminate and communicate the Information Technology asset removal policy to interested personnel and affected parties. CC ID 13160 Physical and environmental protection Preventive
    Confirm the customer agrees with the resolution process associated with the complaint. CC ID 13630 Operational management Detective
    Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445 Privacy protection for information and data Preventive
    Deliver privacy notices to data subjects, as necessary. CC ID 13444 Privacy protection for information and data Preventive
    Update and redeliver privacy notices, as necessary. CC ID 13474 Privacy protection for information and data Preventive
    Deliver privacy notices to third parties, as necessary. CC ID 13473 Privacy protection for information and data Preventive
    Deliver opt-out notices, as necessary. CC ID 13449 Privacy protection for information and data Preventive
    Include an initial privacy notification when delivering the opt-out notice. CC ID 13453 Privacy protection for information and data Preventive
    Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376 Privacy protection for information and data Preventive
    Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372 Privacy protection for information and data Preventive
    Notify statutory authorities concerned with the privacy program of the cessation of the organization after being merged or acquired. CC ID 12391 Privacy protection for information and data Preventive
    Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393 Privacy protection for information and data Preventive
    Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 Privacy protection for information and data Preventive
    Notify data subjects about their privacy rights. CC ID 12989 Privacy protection for information and data Preventive
    Disseminate and communicate the critical third party list with relevance to the privacy program to all affected parties. CC ID 12352 Privacy protection for information and data Preventive
    Provide public proof the organization participates in a privacy program. CC ID 12349 Privacy protection for information and data Preventive
    Disclose statements added to education records, as necessary. CC ID 12990 Privacy protection for information and data Preventive
    Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 Privacy protection for information and data Preventive
    Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 Privacy protection for information and data Preventive
    Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 Privacy protection for information and data Preventive
    Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject, as necessary. CC ID 12625 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 Privacy protection for information and data Preventive
    Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 Privacy protection for information and data Preventive
    Disseminate and communicate the privacy policy, as necessary. CC ID 13346 Privacy protection for information and data Preventive
    Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 Privacy protection for information and data Preventive
    Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 Privacy protection for information and data Corrective
    Notify the data controller of any changes in data processors. CC ID 12648 Privacy protection for information and data Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Preventive
    Disclose de-identified data, as necessary. CC ID 13034 Privacy protection for information and data Preventive
    Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 Privacy protection for information and data Corrective
    Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 Privacy protection for information and data Corrective
    Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 Privacy protection for information and data Corrective
    Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 Privacy protection for information and data Corrective
    Disclose personal data absent consent when the disclosure concerns the data subject's products or services obtained from the organization. CC ID 13469 Privacy protection for information and data Preventive
    Capture personal data removal requests. CC ID 13507 Privacy protection for information and data Preventive
    Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 Privacy protection for information and data Preventive
    Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 Privacy protection for information and data Preventive
    Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 Privacy protection for information and data Preventive
    Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353 Privacy protection for information and data Preventive
    Notify third parties of unresolved challenges. CC ID 13559 Privacy protection for information and data Preventive
    Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 Privacy protection for information and data Corrective
  • Configuration
    31
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Protect continuous security management systems from unauthorized use. CC ID 13097 Monitoring and measurement Preventive
    Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 Monitoring and measurement Preventive
    Document the event information to be logged in the event information log specification. CC ID 00639 Monitoring and measurement Preventive
    Enable and configure logging on all network access controls. CC ID 01963 Monitoring and measurement Preventive
    Synchronize system clocks to an accurate and universal time source on all devices that have logging enabled. CC ID 01340 Monitoring and measurement Preventive
    Centralize network time servers to as few as practical. CC ID 06308 Monitoring and measurement Preventive
    Deny network access to rogue devices until network access approval has been received. CC ID 11852 Monitoring and measurement Preventive
    Isolate rogue devices after a rogue device has been detected. CC ID 07061 Monitoring and measurement Corrective
    Update the vulnerability scanners' vulnerability list. CC ID 10634 Monitoring and measurement Corrective
    Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 Monitoring and measurement Detective
    Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 Physical and environmental protection Preventive
    Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 Physical and environmental protection Preventive
    Install doors so that exposed hinges are on the secured side. CC ID 06687 Physical and environmental protection Preventive
    Install emergency doors to permit egress only. CC ID 06688 Physical and environmental protection Preventive
    Install contact alarms on doors, as necessary. CC ID 06710 Physical and environmental protection Preventive
    Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 Physical and environmental protection Preventive
    Install contact alarms on openable windows, as necessary. CC ID 06690 Physical and environmental protection Preventive
    Install glass break alarms on windows, as necessary. CC ID 06691 Physical and environmental protection Preventive
    Configure video cameras to cover all physical entry points. CC ID 06302 Physical and environmental protection Preventive
    Configure video cameras to prevent physical tampering or disablement. CC ID 06303 Physical and environmental protection Preventive
    Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 Physical and environmental protection Preventive
    Serialize all removable storage media. CC ID 00949 Physical and environmental protection Preventive
    Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 Physical and environmental protection Preventive
    Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 Physical and environmental protection Preventive
    Enable network jacks at the patch panel, as necessary. CC ID 06305 Physical and environmental protection Preventive
    Establish and maintain a configuration change log. CC ID 08710 Operational management Detective
    Review the configuration change log. CC ID 11754 Operational management Detective
    Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 Privacy protection for information and data Preventive
    Store payment card data in secure chips, if possible. CC ID 13065 Privacy protection for information and data Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 Privacy protection for information and data Preventive
    Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 Privacy protection for information and data Preventive
  • Data and Information Management
    418
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify processes, Information Systems, and third parties that transmit, process, or store personal data. CC ID 06289 Monitoring and measurement Preventive
    Establish and maintain removable storage media controls. CC ID 06680 Physical and environmental protection Preventive
    Control access to restricted storage media. CC ID 04889 Physical and environmental protection Preventive
    Track restricted storage media while it is in transit. CC ID 00967 Physical and environmental protection Detective
    Encrypt information stored on mobile devices. CC ID 01422 Physical and environmental protection Preventive
    Wipe all data on systems prior to when the system is redeployed or the system is disposed. CC ID 06401 Operational management Preventive
    Protect confidential information during the system development life cycle program. CC ID 13479 Systems design, build, and implementation Preventive
    Establish and maintain a personal data transparency and openness program. CC ID 00375 Privacy protection for information and data Preventive
    Deliver notices to the intended parties. CC ID 06240 Privacy protection for information and data Preventive
    Establish, implement, and maintain adequate openness procedures. CC ID 00377 Privacy protection for information and data Preventive
    Provide legal authorities access to personal data, upon request. CC ID 06818 Privacy protection for information and data Preventive
    Document the countries where personal data may be stored. CC ID 12750 Privacy protection for information and data Preventive
    Protect the rights of students and their parents. CC ID 00222 Privacy protection for information and data Preventive
    Disclose educational data, as necessary. CC ID 00223 Privacy protection for information and data Preventive
    Obtain explicit consent from parents or students prior to using or disclosing educational data. CC ID 00220 Privacy protection for information and data Preventive
    Disclose education records when written consent is received. CC ID 00224 Privacy protection for information and data Preventive
    Disclose educational data absent consent to other school officials. CC ID 00226 Privacy protection for information and data Preventive
    Disclose educational data absent consent to another institution's school officials. CC ID 00227 Privacy protection for information and data Preventive
    Disclose educational data absent consent in connection with financial aid. CC ID 00229 Privacy protection for information and data Preventive
    Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 Privacy protection for information and data Preventive
    Disclose educational data absent consent to accrediting organizations. CC ID 00231 Privacy protection for information and data Preventive
    Disclose educational data absent consent to a dependent student's parents. CC ID 00232 Privacy protection for information and data Preventive
    Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 Privacy protection for information and data Preventive
    Disclose educational data absent consent for a health and safety emergency. CC ID 00234 Privacy protection for information and data Preventive
    Disclose educational data absent consent when it is merely directory information. CC ID 00235 Privacy protection for information and data Preventive
    Disclose educational data absent consent to a crime victim. CC ID 00236 Privacy protection for information and data Preventive
    Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 Privacy protection for information and data Preventive
    Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 Privacy protection for information and data Preventive
    Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 Privacy protection for information and data Preventive
    Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 Privacy protection for information and data Preventive
    Refrain from obtaining consent through deception. CC ID 13556 Privacy protection for information and data Preventive
    Give individuals the ability to change the uses of their personal data. CC ID 00469 Privacy protection for information and data Preventive
    Notify data subjects of the implications of withdrawing consent. CC ID 13551 Privacy protection for information and data Preventive
    Cooperate with Data Protection Authorities. CC ID 06870 Privacy protection for information and data Preventive
    Display or print the least amount of personal data necessary. CC ID 04643 Privacy protection for information and data Preventive
    Redact confidential information from public information, as necessary. CC ID 06872 Privacy protection for information and data Preventive
    Do not use personal data collected for research and statistics for other purposes. CC ID 00096 Privacy protection for information and data Preventive
    Dispose of media and personal data in a timely manner. CC ID 00125 Privacy protection for information and data Preventive
    Provide individuals with information about where their personal data was processed. CC ID 00415 Privacy protection for information and data Preventive
    Provide individuals with information about the processing purpose of their personal data. CC ID 00416 Privacy protection for information and data Preventive
    Provide individuals with information about disclosure of their personal data. CC ID 00417 Privacy protection for information and data Preventive
    Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 Privacy protection for information and data Preventive
    Provide assistance to data subject's in preparing personal data access requests. CC ID 13588 Privacy protection for information and data Preventive
    Document the outcome of the personal data access request review procedure. CC ID 00455 Privacy protection for information and data Preventive
    Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 Privacy protection for information and data Preventive
    Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 Privacy protection for information and data Preventive
    Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 Privacy protection for information and data Preventive
    Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 Privacy protection for information and data Preventive
    Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 Privacy protection for information and data Preventive
    Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 Privacy protection for information and data Preventive
    Process personal data after the data subject has granted explicit consent. CC ID 00180 Privacy protection for information and data Preventive
    Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 Privacy protection for information and data Preventive
    Process personal data relating to criminal offenses when required by law. CC ID 00237 Privacy protection for information and data Preventive
    Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 Privacy protection for information and data Preventive
    Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 Privacy protection for information and data Preventive
    Process personal data for statistical purposes or scientific purposes. CC ID 00256 Privacy protection for information and data Preventive
    Process personal data when it is processed during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 Privacy protection for information and data Preventive
    Process traffic data in a controlled manner. CC ID 00130 Privacy protection for information and data Preventive
    Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 Privacy protection for information and data Preventive
    Process personal data when it is publicly accessible. CC ID 00187 Privacy protection for information and data Preventive
    Process personal data for direct marketing and other personalized mail programs. CC ID 00188 Privacy protection for information and data Preventive
    Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 Privacy protection for information and data Preventive
    Process personal data for debt collection or benefit payments. CC ID 00190 Privacy protection for information and data Preventive
    Process personal data in order to advance the public interest. CC ID 00191 Privacy protection for information and data Preventive
    Process personal data for surveys, archives, or scientific research. CC ID 00192 Privacy protection for information and data Preventive
    Process personal data for journalistic purposes. CC ID 00193 Privacy protection for information and data Preventive
    Process personal data for academic purposes or religious purposes. CC ID 00194 Privacy protection for information and data Preventive
    Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 Privacy protection for information and data Preventive
    Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 Privacy protection for information and data Preventive
    Follow legal obligations while processing personal data. CC ID 04794 Privacy protection for information and data Preventive
    Start personal data processing only after the needed notifications are submitted. CC ID 04791 Privacy protection for information and data Preventive
    Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 Privacy protection for information and data Preventive
    Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 Privacy protection for information and data Preventive
    Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 Privacy protection for information and data Preventive
    Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 Privacy protection for information and data Preventive
    Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 Privacy protection for information and data Preventive
    Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 Privacy protection for information and data Preventive
    Process personal data absent consent in order to perform a contract. CC ID 13586 Privacy protection for information and data Preventive
    Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 Privacy protection for information and data Preventive
    Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 Privacy protection for information and data Preventive
    Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 Privacy protection for information and data Preventive
    Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 Privacy protection for information and data Preventive
    Process personal data absent consent when it is needed by law. CC ID 13577 Privacy protection for information and data Preventive
    Process personal data absent consent when it is from publicly available information. CC ID 13576 Privacy protection for information and data Preventive
    Process personal data absent consent if its use is consistent with the purposes. CC ID 13575 Privacy protection for information and data Preventive
    Process personal data absent consent when produced for business purposes. CC ID 13563 Privacy protection for information and data Preventive
    Process personal data absent consent for handling insurance claims. CC ID 13561 Privacy protection for information and data Preventive
    Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 Privacy protection for information and data Preventive
    Process personal data absent consent for life-threatening emergencies. CC ID 13558 Privacy protection for information and data Preventive
    Process personal data absent consent for reasonable investigative purposes. CC ID 13557 Privacy protection for information and data Preventive
    Disclose personal data when the data subject has given unambiguous and implicit consent. CC ID 00157 Privacy protection for information and data Preventive
    Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 Privacy protection for information and data Detective
    Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the law does not require consent. CC ID 00136 Privacy protection for information and data Preventive
    Disclose personal data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 Privacy protection for information and data Preventive
    Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 Privacy protection for information and data Preventive
    Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 Privacy protection for information and data Preventive
    Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 Privacy protection for information and data Preventive
    Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the disclosure is to a government institution. CC ID 13583 Privacy protection for information and data Preventive
    Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 Privacy protection for information and data Preventive
    Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 Privacy protection for information and data Preventive
    Disclose personal data absent consent for handling insurance claims. CC ID 13585 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 Privacy protection for information and data Preventive
    Disclose personal data absent consent to a government institution that has requested the information. CC ID 13582 Privacy protection for information and data Preventive
    Disclose personal data absent consent if disclosure is to the next of kin or authorized representative. CC ID 13554 Privacy protection for information and data Preventive
    Disclose personal data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 Privacy protection for information and data Preventive
    Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 Privacy protection for information and data Preventive
    Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 Privacy protection for information and data Preventive
    Disclose personal data absent consent in order to perform a contract. CC ID 00139 Privacy protection for information and data Preventive
    Disclose personal data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the personal data prevents life-threatening emergencies to third parties. CC ID 00142 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the personal data preserves human life at sea. CC ID 00143 Privacy protection for information and data Preventive
    Disclose personal data absent consent in order to process the personal data for public interests. CC ID 00144 Privacy protection for information and data Preventive
    Disclose personal data for public interests absent consent in order to provide social work assistance services. CC ID 00145 Privacy protection for information and data Preventive
    Disclose personal data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 Privacy protection for information and data Preventive
    Disclose personal data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 Privacy protection for information and data Preventive
    Disclose personal data absent consent for public economic interests. CC ID 00148 Privacy protection for information and data Preventive
    Disclose personal data for public interests absent consent for National Security reasons. CC ID 00149 Privacy protection for information and data Preventive
    Disclose personal data absent consent for journalistic purposes. CC ID 00150 Privacy protection for information and data Preventive
    Disclose personal data absent consent when it is publicly accessible. CC ID 00151 Privacy protection for information and data Preventive
    Disclose personal data absent consent when it is related to publicly available information. CC ID 00152 Privacy protection for information and data Preventive
    Disclose publicly accessible personal data absent consent when the data subject has already published it. CC ID 00153 Privacy protection for information and data Preventive
    Disclose personal data absent consent in order to protect the data subject's vital interests. CC ID 00154 Privacy protection for information and data Preventive
    Disclose personal data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 Privacy protection for information and data Preventive
    Disclose personal data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 Privacy protection for information and data Preventive
    Disclose personal data absent consent when it is needed by law. CC ID 00163 Privacy protection for information and data Preventive
    Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 Privacy protection for information and data Preventive
    Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 Privacy protection for information and data Preventive
    Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 Privacy protection for information and data Preventive
    Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 Privacy protection for information and data Preventive
    Limit the redisclosure and reuse of personal data. CC ID 00168 Privacy protection for information and data Preventive
    Refrain from redisclosing or reusing personal data. CC ID 00169 Privacy protection for information and data Preventive
    Redisclose personal data when the data subject consents. CC ID 00171 Privacy protection for information and data Preventive
    Redisclose personal data when it is for criminal law enforcement. CC ID 00172 Privacy protection for information and data Preventive
    Redisclose personal data in order to protect public revenue. CC ID 00173 Privacy protection for information and data Preventive
    Redisclose personal data in order to assist a Telecommunications Ombudsman. CC ID 00174 Privacy protection for information and data Preventive
    Redisclose personal data in order to prevent a life-threatening emergency. CC ID 00175 Privacy protection for information and data Preventive
    Redisclose personal data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 Privacy protection for information and data Preventive
    Redisclose personal data in order to preserve human life at sea. CC ID 00177 Privacy protection for information and data Preventive
    Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 Privacy protection for information and data Preventive
    Obtain parental consent in order to use or disclose children's data. CC ID 00198 Privacy protection for information and data Preventive
    Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 Privacy protection for information and data Preventive
    Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 Privacy protection for information and data Preventive
    Process Personal Identification Numbers with consent. CC ID 00239 Privacy protection for information and data Preventive
    Obtain consent prior to selling a Personal Identification Number. CC ID 00240 Privacy protection for information and data Preventive
    Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 Privacy protection for information and data Preventive
    Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 Privacy protection for information and data Preventive
    Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 Privacy protection for information and data Preventive
    Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 Privacy protection for information and data Preventive
    Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 Privacy protection for information and data Preventive
    Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 Privacy protection for information and data Preventive
    Review personal data disclosure requests. CC ID 07129 Privacy protection for information and data Preventive
    Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 Privacy protection for information and data Preventive
    Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 Privacy protection for information and data Preventive
    Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 Privacy protection for information and data Preventive
    Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 Privacy protection for information and data Preventive
    Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 Privacy protection for information and data Preventive
    Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 Privacy protection for information and data Preventive
    Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 Privacy protection for information and data Preventive
    Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 Privacy protection for information and data Preventive
    Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 Privacy protection for information and data Preventive
    Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 Privacy protection for information and data Preventive
    Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 Privacy protection for information and data Preventive
    Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 Privacy protection for information and data Preventive
    Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 Privacy protection for information and data Detective
    Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 Privacy protection for information and data Preventive
    Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 Privacy protection for information and data Preventive
    Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 Privacy protection for information and data Preventive
    Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 Privacy protection for information and data Preventive
    Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 Privacy protection for information and data Preventive
    Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 Privacy protection for information and data Preventive
    Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 Privacy protection for information and data Preventive
    Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 Privacy protection for information and data Preventive
    Notify the individual of the reasons the personal data access request was refused. CC ID 00453 Privacy protection for information and data Preventive
    Notify individuals of their right to challenge a refusal to a personal data access request. CC ID 00454 Privacy protection for information and data Preventive
    Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 Privacy protection for information and data Preventive
    Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 Privacy protection for information and data Preventive
    Provide personal data in a reasonable time frame. CC ID 00429 Privacy protection for information and data Preventive
    Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 Privacy protection for information and data Preventive
    Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 Privacy protection for information and data Preventive
    Extend the time limit for providing personal data if it would unreasonably interfere with the organization's activities. CC ID 13589 Privacy protection for information and data Preventive
    Provide personal data at a cost that is not excessive. CC ID 00430 Privacy protection for information and data Preventive
    Provide personal data in a reasonable manner. CC ID 00431 Privacy protection for information and data Preventive
    Provide personal data in a form that is intelligible. CC ID 00432 Privacy protection for information and data Preventive
    Provide personal data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 Privacy protection for information and data Preventive
    Provide personal data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 Privacy protection for information and data Preventive
    Remove personal data about third parties before giving the data subject access to the information. CC ID 13601 Privacy protection for information and data Preventive
    Use personal data for specified purposes. CC ID 11831 Privacy protection for information and data Preventive
    Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 Privacy protection for information and data Preventive
    Provide explicit consent that is clear and unambiguous. CC ID 00181 Privacy protection for information and data Preventive
    Allow individuals to change their personal data collection consent preferences. CC ID 06946 Privacy protection for information and data Preventive
    Adhere to each individual's personal data collection consent preferences. CC ID 06947 Privacy protection for information and data Preventive
    Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 Privacy protection for information and data Preventive
    Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 Privacy protection for information and data Preventive
    Include an individual's name in the personal data definition. CC ID 04710 Privacy protection for information and data Preventive
    Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 Privacy protection for information and data Preventive
    Include a parent's legal surname prior to marriage in the personal data definition. CC ID 04686 Privacy protection for information and data Preventive
    Include an individual's signature in the personal data definition. CC ID 04711 Privacy protection for information and data Preventive
    Include an individual's date of birth in the personal data definition. CC ID 04770 Privacy protection for information and data Preventive
    Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 Privacy protection for information and data Preventive
    Include an individual's biometric data in the personal data definition. CC ID 04698 Privacy protection for information and data Preventive
    Include an individual's photographic image in the personal data definition. CC ID 04779 Privacy protection for information and data Preventive
    Include an individual's fingerprints in the personal data definition. CC ID 04689 Privacy protection for information and data Preventive
    Include an individual's address in the personal data definition. CC ID 04687 Privacy protection for information and data Preventive
    Include an individual's telephone number in the personal data definition. CC ID 04688 Privacy protection for information and data Preventive
    Include an individual's fax number in the personal data definition. CC ID 07120 Privacy protection for information and data Preventive
    Include an individual's financial account number in the personal data definition. CC ID 04692 Privacy protection for information and data Preventive
    Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 Privacy protection for information and data Preventive
    Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 Privacy protection for information and data Preventive
    Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 Privacy protection for information and data Preventive
    Include an individual's passport number in the personal data definition. CC ID 04713 Privacy protection for information and data Preventive
    Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 Privacy protection for information and data Preventive
    Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 Privacy protection for information and data Preventive
    Include an individual's e-mail address in the personal data definition. CC ID 04696 Privacy protection for information and data Preventive
    Include electronic signatures in the personal data definition. CC ID 04697 Privacy protection for information and data Preventive
    Include an individual's payment card information in the personal data definition. CC ID 04751 Privacy protection for information and data Preventive
    Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 Privacy protection for information and data Preventive
    Include an individual's payment card service code in the personal data definition. CC ID 04753 Privacy protection for information and data Preventive
    Include an individual's payment card expiration date in the personal data definition. CC ID 04755 Privacy protection for information and data Preventive
    Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 Privacy protection for information and data Preventive
    Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 Privacy protection for information and data Preventive
    Include an individual's medical history in the personal data definition. CC ID 04701 Privacy protection for information and data Preventive
    Include an individual's medical treatment in the personal data definition. CC ID 04702 Privacy protection for information and data Preventive
    Include an individual's medical diagnosis in the personal data definition. CC ID 04703 Privacy protection for information and data Preventive
    Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 Privacy protection for information and data Preventive
    Include an individual's medical record numbers in the personal data definition. CC ID 07121 Privacy protection for information and data Preventive
    Include an individual's health insurance information in the personal data definition. CC ID 04705 Privacy protection for information and data Preventive
    Include an individual's health insurance policy number in the personal data definition. CC ID 04706 Privacy protection for information and data Preventive
    Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 Privacy protection for information and data Preventive
    Include an individual's education information in the personal data definition. CC ID 04714 Privacy protection for information and data Preventive
    Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 Privacy protection for information and data Preventive
    Include an individual's employment information in the personal data definition. CC ID 04715 Privacy protection for information and data Preventive
    Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 Privacy protection for information and data Preventive
    Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 Privacy protection for information and data Preventive
    Include an individual's employment history in the personal data definition. CC ID 04716 Privacy protection for information and data Preventive
    Include an individual's place of employment in the personal data definition. CC ID 04765 Privacy protection for information and data Preventive
    Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 Privacy protection for information and data Preventive
    Include an individual's property information in the personal data definition. CC ID 04780 Privacy protection for information and data Preventive
    Include an individual's property title in the personal data definition. CC ID 04781 Privacy protection for information and data Preventive
    Include an individual's vehicle registration in the personal data definition. CC ID 04782 Privacy protection for information and data Preventive
    Include hardware asset identification information in the personal data definition. CC ID 07123 Privacy protection for information and data Preventive
    Include MAC addresses in the personal data definition. CC ID 04778 Privacy protection for information and data Preventive
    Include Internet Protocol addresses in the personal data definition. CC ID 04777 Privacy protection for information and data Preventive
    Include asset serial numbers in the personal data definition. CC ID 07124 Privacy protection for information and data Preventive
    Include Uniform Resource Locators in the personal data definition. CC ID 07125 Privacy protection for information and data Preventive
    Define specially restricted data. CC ID 00037 Privacy protection for information and data Preventive
    Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 Privacy protection for information and data Preventive
    Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 Privacy protection for information and data Preventive
    Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 Privacy protection for information and data Preventive
    Implement a nondiscrimination principle. CC ID 00081 Privacy protection for information and data Preventive
    Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 Privacy protection for information and data Preventive
    Preserve each individual's right to human dignity. CC ID 00082 Privacy protection for information and data Preventive
    Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers with the individual's consent. CC ID 00059 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 Privacy protection for information and data Preventive
    Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 Privacy protection for information and data Preventive
    Manage health data collection. CC ID 00050 Privacy protection for information and data Preventive
    Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 Privacy protection for information and data Preventive
    Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 Privacy protection for information and data Preventive
    Collect Individually Identifiable Health Information for research. CC ID 00054 Privacy protection for information and data Preventive
    Remove personal data before disclosing health data. CC ID 00055 Privacy protection for information and data Preventive
    Give special attention to collecting children's data. CC ID 00038 Privacy protection for information and data Preventive
    Obtain parental consent before collecting information from children. CC ID 00041 Privacy protection for information and data Preventive
    Waive verifiable parental consent for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 Privacy protection for information and data Preventive
    Waive verifiable parental consent for collecting information from children in order to request the parent's information to obtain consent. CC ID 00044 Privacy protection for information and data Preventive
    Waive verifiable parental consent for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 Privacy protection for information and data Preventive
    Waive verifiable parental consent for collecting information from children in order to protect the child's safety. CC ID 00046 Privacy protection for information and data Preventive
    Waive verifiable parental consent for collecting information from children in order to take liability precautions. CC ID 00047 Privacy protection for information and data Preventive
    Waive verifiable parental consent for collecting information from children in order to respond to a judicial process. CC ID 00048 Privacy protection for information and data Preventive
    Waive verifiable parental consent for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 Privacy protection for information and data Preventive
    Waive verifiable parental consent for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 Privacy protection for information and data Preventive
    Collect personal data directly from the data subject. CC ID 00011 Privacy protection for information and data Preventive
    Create and manage user account aliases to maintain pseudonymity. CC ID 04549 Privacy protection for information and data Preventive
    Provide unlinkability for users and resources. CC ID 04550 Privacy protection for information and data Preventive
    Collect personal data in a fair and lawful manner. CC ID 00010 Privacy protection for information and data Preventive
    Collect personal data absent consent for specific and well-documented circumstances. CC ID 00013 Privacy protection for information and data Preventive
    Collect personal data absent consent when the data collection is in the data subject's interests and consent cannot be obtained in a timely manner. CC ID 00014 Privacy protection for information and data Preventive
    Collect personal data absent consent when consent compromises data accuracy. CC ID 00015 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to make a disclosure. CC ID 13550 Privacy protection for information and data Preventive
    Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 Privacy protection for information and data Preventive
    Collect personal data absent consent if collection is consistent with the purposes. CC ID 13548 Privacy protection for information and data Preventive
    Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 Privacy protection for information and data Preventive
    Collect personal data absent consent for handling insurance claims. CC ID 13543 Privacy protection for information and data Preventive
    Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 Privacy protection for information and data Preventive
    Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 Privacy protection for information and data Preventive
    Collect personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 Privacy protection for information and data Preventive
    Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 Privacy protection for information and data Preventive
    Collect personal data absent consent from publicly available information. CC ID 00019 Privacy protection for information and data Preventive
    Collect personal data absent consent when needed by law. CC ID 00020 Privacy protection for information and data Preventive
    Collect personal data absent consent when no potential harm can come to the data subject. CC ID 00021 Privacy protection for information and data Preventive
    Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 Privacy protection for information and data Preventive
    Collect the minimum amount of personal data necessary. CC ID 00078 Privacy protection for information and data Preventive
    Collect personal data in a proper information framework. CC ID 00009 Privacy protection for information and data Preventive
    Collect and record personal data for specific, explicit, and legitimate purposes. CC ID 00027 Privacy protection for information and data Preventive
    Collect personal data when an individual gives consent. CC ID 00030 Privacy protection for information and data Preventive
    Collect personal data when required by law. CC ID 00031 Privacy protection for information and data Preventive
    Collect personal data to prevent life-threatening emergencies. CC ID 00032 Privacy protection for information and data Preventive
    Collect personal data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 Privacy protection for information and data Preventive
    Collect personal data for legal purposes. CC ID 00036 Privacy protection for information and data Preventive
    Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 Privacy protection for information and data Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Privacy protection for information and data Preventive
    Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 Privacy protection for information and data Preventive
    Limit data leakage. CC ID 00356 Privacy protection for information and data Preventive
    Establish and maintain suspicious personal data procedures. CC ID 04853 Privacy protection for information and data Detective
    Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 Privacy protection for information and data Detective
    Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 Privacy protection for information and data Detective
    Send change notices for change of address requests to the old address and the new address. CC ID 04877 Privacy protection for information and data Detective
    Establish and maintain de-identifying and re-identifying procedures. CC ID 07126 Privacy protection for information and data Preventive
    Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 Privacy protection for information and data Preventive
    Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 Privacy protection for information and data Preventive
    Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 Privacy protection for information and data Preventive
    Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 Privacy protection for information and data Preventive
    Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 Privacy protection for information and data Preventive
    Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 Privacy protection for information and data Preventive
    Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 Privacy protection for information and data Preventive
    Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 Privacy protection for information and data Preventive
    Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 Privacy protection for information and data Preventive
    Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 Privacy protection for information and data Preventive
    Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 Privacy protection for information and data Preventive
    Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 Privacy protection for information and data Preventive
    Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 Privacy protection for information and data Preventive
    Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 Privacy protection for information and data Preventive
    Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 Privacy protection for information and data Preventive
    Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 Privacy protection for information and data Preventive
    Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 Privacy protection for information and data Preventive
    Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 Privacy protection for information and data Preventive
    Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 Privacy protection for information and data Preventive
    Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 Privacy protection for information and data Preventive
    Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 Privacy protection for information and data Preventive
    Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 Privacy protection for information and data Preventive
    Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 Privacy protection for information and data Preventive
    Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 Privacy protection for information and data Preventive
    Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 Privacy protection for information and data Preventive
    Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 Privacy protection for information and data Preventive
    Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 Privacy protection for information and data Preventive
    Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 Privacy protection for information and data Preventive
    Obtain consent from an individual prior to transferring personal data. CC ID 06948 Privacy protection for information and data Preventive
    Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 Privacy protection for information and data Preventive
    Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312 Privacy protection for information and data Preventive
    Prohibit the transfer of personal data when security is inadequate. CC ID 00345 Privacy protection for information and data Preventive
    Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346 Privacy protection for information and data Preventive
    Refrain from transferring past the first transfer. CC ID 00347 Privacy protection for information and data Preventive
    Allow the data subject the right to object to the personal data transfer. CC ID 00349 Privacy protection for information and data Preventive
    Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 Privacy protection for information and data Preventive
    Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 Privacy protection for information and data Preventive
    Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 Privacy protection for information and data Preventive
    Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 Privacy protection for information and data Preventive
    Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 Privacy protection for information and data Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 Privacy protection for information and data Preventive
    Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 Privacy protection for information and data Preventive
    Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 Privacy protection for information and data Preventive
    Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 Privacy protection for information and data Preventive
    Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 Privacy protection for information and data Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 Privacy protection for information and data Preventive
    Require transferees to implement adequate data protection levels for the personal data. CC ID 00335 Privacy protection for information and data Preventive
    Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337 Privacy protection for information and data Preventive
    Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338 Privacy protection for information and data Preventive
    Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339 Privacy protection for information and data Preventive
    Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340 Privacy protection for information and data Preventive
    Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341 Privacy protection for information and data Preventive
    Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342 Privacy protection for information and data Preventive
    Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343 Privacy protection for information and data Preventive
    Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344 Privacy protection for information and data Preventive
    Obtain consent prior to storing cookies on an individual's browser. CC ID 06950 Privacy protection for information and data Preventive
    Obtain consent prior to downloading software to an individual's computer. CC ID 06951 Privacy protection for information and data Preventive
    Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961 Privacy protection for information and data Preventive
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Preventive
    Implement procedures to file privacy rights violation complaints. CC ID 00476 Privacy protection for information and data Corrective
    Change or destroy any personal data that is incorrect. CC ID 00462 Privacy protection for information and data Corrective
    Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 Privacy protection for information and data Preventive
    Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 Privacy protection for information and data Corrective
    Notify individuals of their right to challenge personal data. CC ID 00457 Privacy protection for information and data Preventive
    Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 Privacy protection for information and data Preventive
    Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 Privacy protection for information and data Preventive
    Investigate the disputed accuracy of personal data. CC ID 00461 Privacy protection for information and data Preventive
    Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 Privacy protection for information and data Corrective
    Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 Privacy protection for information and data Corrective
  • Establish Roles
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 Audits and risk management Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Audits and risk management Preventive
    Assign log management roles and responsibilities. CC ID 06311 Monitoring and measurement Preventive
    Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 Monitoring and measurement Preventive
    Employ security guards to provide physical security, as necessary. CC ID 06653 Physical and environmental protection Preventive
    Classify assets according to the Asset Classification Policy. CC ID 07186 Operational management Preventive
    Require data controllers to be accountable for their actions. CC ID 00470 Privacy protection for information and data Preventive
    Process personal data lawfully and carefully. CC ID 00086 Privacy protection for information and data Preventive
  • Establish/Maintain Documentation
    422
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish and maintain sustainable infrastructure planning. CC ID 00603
    [Determine the placement of the system within the enterprise architecture. TASK P-16]
    Leadership and high level objectives Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Leadership and high level objectives Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Leadership and high level objectives Preventive
    Establish and maintain an audit program. CC ID 00684 Audits and risk management Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777 Audits and risk management Corrective
    Establish and maintain a risk management program. CC ID 12051 Audits and risk management Preventive
    Establish and maintain risk management strategies, as necessary. CC ID 13209
    [Establish a risk management strategy for the organization that includes a determination of risk tolerance. TASK P-2]
    Audits and risk management Preventive
    Include off-site storage of supplies in the risk management strategies, as necessary. CC ID 13221 Audits and risk management Preventive
    Include the use of alternate service providers in the risk management strategies. CC ID 13217 Audits and risk management Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Audits and risk management Preventive
    Include off-site storage in organizational risk mitigation strategies. CC ID 13213 Audits and risk management Preventive
    Establish and maintain the risk assessment framework. CC ID 00685 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment program to manage internal threats and external threats. CC ID 00687 Audits and risk management Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Audits and risk management Preventive
    Establish and maintain a threat and risk classification scheme. CC ID 07183 Audits and risk management Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Audits and risk management Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Audits and risk management Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481
    [Prepare the assessment reports documenting the findings and recommendations from the control assessments. TASK A-4]
    Audits and risk management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708
    [{security plan} {privacy plan} {risk assessment report} Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. Task M-4]
    Audits and risk management Detective
    Update the risk assessment upon changes to the risk profile. CC ID 11627
    [Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis. TASK P-3
    Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis. TASK P-14]
    Audits and risk management Detective
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Audits and risk management Preventive
    Document organizational risk tolerance in a risk register. CC ID 09961
    [Establish a risk management strategy for the organization that includes a determination of risk tolerance. TASK P-2]
    Audits and risk management Preventive
    Update the risk register, as necessary. CC ID 13047 Audits and risk management Preventive
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 Audits and risk management Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Audits and risk management Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704
    [Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy. Task M-2]
    Audits and risk management Detective
    Establish and maintain a risk treatment plan. CC ID 11983
    [Identify and implement a preferred course of action in response to the risk determined. TASK R-3]
    Audits and risk management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Audits and risk management Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Audits and risk management Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Audits and risk management Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Audits and risk management Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Audits and risk management Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Audits and risk management Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Audits and risk management Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Audits and risk management Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Audits and risk management Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Audits and risk management Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in plans of action and milestones. Task M-3
    Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports. TASK A-6]
    Audits and risk management Corrective
    Review and approve the risk assessment findings. CC ID 06485 Audits and risk management Preventive
    Establish and Maintain a Cybersecurity Risk Management Strategy. CC ID 11991
    [Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles. TASK P-4]
    Audits and risk management Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Audits and risk management Preventive
    Establish and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 Monitoring and measurement Preventive
    Include each Information System's major applications in the Information Technology inventory. CC ID 01407 Monitoring and measurement Preventive
    Categorize all major applications according to the business information they process. CC ID 07182 Monitoring and measurement Preventive
    Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164 Monitoring and measurement Preventive
    Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408 Monitoring and measurement Preventive
    Include each Information System's minor applications in the Information Technology inventory. CC ID 01409 Monitoring and measurement Preventive
    Establish, implement, and maintain an audit and accountability policy. CC ID 14035 Monitoring and measurement Preventive
    Review and update the list of auditable events in the event logging procedures. CC ID 10097 Monitoring and measurement Preventive
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Monitoring and measurement Corrective
    Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 Monitoring and measurement Corrective
    Establish and maintain a continuous monitoring for Configuration Management program. CC ID 06757 Monitoring and measurement Detective
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Monitoring and measurement Preventive
    Establish and maintain a risk monitoring program. CC ID 00658 Monitoring and measurement Preventive
    Create specific test plans to test each system component. CC ID 00661
    [Develop, review, and approve plans to assess implemented controls. TASK A-2]
    Monitoring and measurement Preventive
    Review the test plans for each system component. CC ID 00662
    [Develop, review, and approve plans to assess implemented controls. TASK A-2]
    Monitoring and measurement Preventive
    Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 Monitoring and measurement Preventive
    Document the business need justification for authorized wireless access points. CC ID 12044 Monitoring and measurement Preventive
    Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 Monitoring and measurement Detective
    Align the penetration test program with industry standards. CC ID 12469 Monitoring and measurement Preventive
    Establish and maintain a vulnerability assessment program. CC ID 11636 Monitoring and measurement Preventive
    Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 Monitoring and measurement Preventive
    Include the completion date in the plan of action. CC ID 13272 Monitoring and measurement Preventive
    Establish and maintain a physical security program. CC ID 11757
    [{security requirements} Define the security and privacy requirements for the system and the environment of operation. TASK P-15
    {security requirements} Define the security and privacy requirements for the system and the environment of operation. TASK P-15]
    Physical and environmental protection Preventive
    Establish and maintain physical security plans. CC ID 13307
    [{security plans} Review and approve the security and privacy plans for the system and the environment of operation. TASK S-6]
    Physical and environmental protection Preventive
    Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 Physical and environmental protection Preventive
    Document any reasons for modifying or refraining from modifying the organization's physical security plan when the physical security plan has been reviewed. CC ID 13315 Physical and environmental protection Preventive
    Establish and maintain physical security procedures. CC ID 13076
    [{security requirements} Allocate security and privacy requirements to the system and to the environment of operation. TASK P-17
    {security requirements} Allocate security and privacy requirements to the system and to the environment of operation. TASK P-17]
    Physical and environmental protection Preventive
    Establish and maintain a facility physical security program. CC ID 00711
    [Select the controls for the system and the environment of operation. TASK S-1
    {security controls} Allocate security and privacy controls to the system and to the environment of operation. TASK S-3
    {security controls} Allocate security and privacy controls to the system and to the environment of operation. TASK S-3]
    Physical and environmental protection Preventive
    Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 Physical and environmental protection Preventive
    Define communication methods for reporting crimes. CC ID 06349 Physical and environmental protection Preventive
    Post and maintain security signage for all facilities. CC ID 02201 Physical and environmental protection Preventive
    Identify and document physical access controls for all physical entry points. CC ID 01637 Physical and environmental protection Preventive
    Define and implement access procedures for all organizational facilities and controlled access areas. CC ID 13629 Physical and environmental protection Preventive
    Establish and maintain a visitor access permissions policy. CC ID 06699 Physical and environmental protection Preventive
    Escort visitors within the facility, as necessary. CC ID 06417 Physical and environmental protection Preventive
    Establish and maintain procedures for changing a visitor's access requirements. CC ID 12048 Physical and environmental protection Preventive
    Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 Physical and environmental protection Preventive
    Authorize physical access to sensitive areas based on job functions. CC ID 12462 Physical and environmental protection Preventive
    Review facility access lists. CC ID 01251 Physical and environmental protection Detective
    Establish and maintain physical identification procedures. CC ID 00713 Physical and environmental protection Preventive
    Document all lost badges in a lost badge list. CC ID 12448 Physical and environmental protection Corrective
    Establish and maintain identification issuance procedures for identification cards or badges. CC ID 06598 Physical and environmental protection Preventive
    Include error handling controls in identification issuance procedures. CC ID 13709 Physical and environmental protection Preventive
    Include an identity registration process in the identification issuance procedures. CC ID 11671 Physical and environmental protection Preventive
    Establish and maintain identification renewal procedures for identification cards or badges. CC ID 06599 Physical and environmental protection Preventive
    Establish and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 Physical and environmental protection Preventive
    Establish and maintain identification mechanism termination procedures. CC ID 06306 Physical and environmental protection Preventive
    Establish, implement, and maintain a door security standard. CC ID 06686 Physical and environmental protection Preventive
    Establish and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 Physical and environmental protection Preventive
    Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 Physical and environmental protection Preventive
    Establish and maintain a window security standard. CC ID 06689 Physical and environmental protection Preventive
    Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 Physical and environmental protection Preventive
    Establish, implement, and maintain after hours facility access procedures. CC ID 06340 Physical and environmental protection Preventive
    Establish and maintain a guideline for working in a secure area. CC ID 04538 Physical and environmental protection Preventive
    Establish and maintain emergency re-entry procedures. CC ID 11672 Physical and environmental protection Preventive
    Establish and maintain emergency exit procedures. CC ID 01252 Physical and environmental protection Preventive
    Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 Physical and environmental protection Preventive
    Record the date and time of entry in the visitor log. CC ID 13255 Physical and environmental protection Preventive
    Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 Physical and environmental protection Preventive
    Review visitor logs, as necessary. CC ID 10625 Physical and environmental protection Detective
    Establish and maintain a physical access log. CC ID 12080 Physical and environmental protection Preventive
    Review physical access logs, as necessary. CC ID 10624 Physical and environmental protection Detective
    Establish and maintain physical security threat reports. CC ID 02207 Physical and environmental protection Preventive
    Establish and maintain a facility wall standard. CC ID 06692 Physical and environmental protection Preventive
    Establish, implement, and maintain a media protection policy. CC ID 14029 Physical and environmental protection Preventive
    Establish and maintain storage media access control procedures. CC ID 00959 Physical and environmental protection Preventive
    Establish and maintain electronic media storage container repair guidelines. CC ID 02200 Physical and environmental protection Preventive
    Establish and maintain an Information Technology asset removal policy. CC ID 13162 Physical and environmental protection Preventive
    Specify the assets to be returned or removed in the Information Technology asset removal policy. CC ID 13163 Physical and environmental protection Preventive
    Establish and maintain Information Technology asset removal procedures. CC ID 04540 Physical and environmental protection Preventive
    Establish and maintain report missing asset procedures. CC ID 06336 Physical and environmental protection Preventive
    Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 Physical and environmental protection Preventive
    Establish and maintain a locking screen saver policy. CC ID 06717 Physical and environmental protection Preventive
    Establish and maintain mobile device security guidelines. CC ID 04723 Physical and environmental protection Preventive
    Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 Physical and environmental protection Preventive
    Include legal requirements in the mobile device security guidelines. CC ID 12291 Physical and environmental protection Preventive
    Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 Physical and environmental protection Preventive
    Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 Physical and environmental protection Preventive
    Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 Physical and environmental protection Preventive
    Establish and maintain asset return procedures. CC ID 04537 Physical and environmental protection Preventive
    Establish and maintain open storage container procedures. CC ID 02198 Physical and environmental protection Preventive
    Establish and maintain a physical clean desk policy. CC ID 06534 Physical and environmental protection Preventive
    Establish and maintain contact card reader security guidelines. CC ID 06588 Physical and environmental protection Preventive
    Establish and maintain contactless card reader security guidelines. CC ID 06589 Physical and environmental protection Preventive
    Establish and maintain Personal Identification Number input device security guidelines. CC ID 06590 Physical and environmental protection Preventive
    Establish, implement, and maintain a vehicle access program. CC ID 02216 Physical and environmental protection Preventive
    Establish and maintain returned card procedures, as necessary. CC ID 13567 Physical and environmental protection Preventive
    Establish and maintain the physical security of non-issued payment cards. CC ID 06402 Physical and environmental protection Preventive
    Establish and implement payment card usage security measures. CC ID 06406 Physical and environmental protection Preventive
    Establish and maintain security classifications for network cabling. CC ID 08627 Physical and environmental protection Preventive
    Establish and maintain documentation for network cabling schemes. CC ID 08641 Physical and environmental protection Preventive
    Establish and maintain a Code of Conduct as a part of the Terms and Conditions of employment. CC ID 04897 Human Resources management Preventive
    Include the organization's mission in the Code of Conduct. CC ID 12875
    [Identify the missions, business functions, and mission/business processes that the system is intended to support. TASK P-8]
    Human Resources management Preventive
    Establish and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Preventive
    Establish and maintain an internal control framework. CC ID 00820 Operational management Preventive
    Establish and maintain an information security program. CC ID 00812 Operational management Preventive
    Include technical safeguards in the information security program. CC ID 12374
    [{security plans} Document the controls for the system and environment of operation in security and privacy plans. TASK S-4]
    Operational management Preventive
    Include physical security in the information security program. CC ID 12382
    [{security plans} Document the controls for the system and environment of operation in security and privacy plans. TASK S-4]
    Operational management Preventive
    Establish and maintain an information security policy. CC ID 11740 Operational management Preventive
    Review and update the information security policy, as necessary. CC ID 11741
    [{security plans} Review and approve the security and privacy plans for the system and the environment of operation. TASK S-6
    {security plan} {privacy plan} {risk assessment report} Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. Task M-4]
    Operational management Corrective
    Establish and apply classification schemes for all systems and assets. CC ID 01902 Operational management Preventive
    Establish and maintain the systems' confidentiality level. CC ID 01904 Operational management Preventive
    Define confidentiality controls. CC ID 01908 Operational management Preventive
    Establish and maintain the systems' availability level. CC ID 01905 Operational management Preventive
    Define integrity controls. CC ID 01909 Operational management Preventive
    Establish and maintain the systems' integrity level. CC ID 01906 Operational management Preventive
    Define availability controls. CC ID 01911 Operational management Preventive
    Document the decision for assigning an asset to a specific asset classification in the Asset Classification Policy. CC ID 07185
    [Review and approve the security categorization results and decision. TASK C-3]
    Operational management Preventive
    Establish and maintain a system redeployment or disposal program. CC ID 06276
    [Implement a system disposal strategy and execute required actions when a system is removed from operation. Task M-7]
    Operational management Preventive
    Document the staff's operating knowledge of the system prior to a personnel status change. CC ID 06937 Operational management Preventive
    Redeploy systems to other organizational units, as necessary. CC ID 11452 Operational management Preventive
    Establish and maintain disposal contracts, as necessary. CC ID 12199 Operational management Preventive
    Include disposal procedures in disposal contracts. CC ID 13905 Operational management Preventive
    Document the storage information for all systems that are stored instead of being disposed or redeployed. CC ID 06936 Operational management Preventive
    Establish and maintain a customer service program. CC ID 00846 Operational management Preventive
    Document the resolution of issues reported to customer service. CC ID 12918 Operational management Preventive
    Establish and maintain a change control program. CC ID 00886 Operational management Preventive
    Update associated documentation after the system configuration has been changed. CC ID 00891
    [Document changes to planned control implementations based on the "as-implemented" state of controls. TASK I-2]
    Operational management Preventive
    Document approved configuration deviations. CC ID 08711 Operational management Corrective
    Document the organization's local environments. CC ID 06726 Operational management Preventive
    Establish and maintain local environment security profiles. CC ID 07037 Operational management Preventive
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039
    [Identify the missions, business functions, and mission/business processes that the system is intended to support. TASK P-8]
    Operational management Preventive
    Establish and maintain records management procedures used to manage organizational records. CC ID 11619 Records management Preventive
    Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045 Systems design, build, and implementation Preventive
    Establish and maintain system design requirements. CC ID 06618 Systems design, build, and implementation Preventive
    Identify all stakeholders who may influence the System Development Life Cycle. CC ID 06922
    [Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system. TASK P-9]
    Systems design, build, and implementation Detective
    Document stakeholder requirements and how they influence system design requirements. CC ID 06925 Systems design, build, and implementation Preventive
    Document legal requirements and how they influence system design requirements. CC ID 11793 Systems design, build, and implementation Preventive
    Establish and maintain a system design project management framework. CC ID 00990 Systems design, build, and implementation Preventive
    Establish and maintain a system design specification. CC ID 04557 Systems design, build, and implementation Preventive
    Establish access control procedures for the test environment that match those of the production environment. CC ID 06793 Systems design, build, and implementation Preventive
    Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 Systems design, build, and implementation Preventive
    Establish and maintain an acceptable use policy for the hardware security module. CC ID 12247 Systems design, build, and implementation Preventive
    Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 Systems design, build, and implementation Preventive
    Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 Systems design, build, and implementation Preventive
    Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 Systems design, build, and implementation Preventive
    Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 Systems design, build, and implementation Preventive
    Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 Systems design, build, and implementation Preventive
    Establish and maintain a system implementation standard. CC ID 01111 Systems design, build, and implementation Preventive
    Plan and document the Certification and Accreditation process. CC ID 11767 Systems design, build, and implementation Preventive
    Submit the information system's security authorization package to the appropriate stakeholders, as necessary. CC ID 13987
    [Assemble the authorization package and submit the package to the authorizing official for an authorization decision. TASK R-1]
    Systems design, build, and implementation Preventive
    Establish and maintain a privacy framework that protects restricted data. CC ID 11850
    [{security controls} Allocate security and privacy controls to the system and to the environment of operation. TASK S-3]
    Privacy protection for information and data Preventive
    Establish and maintain privacy notices, as necessary. CC ID 13443 Privacy protection for information and data Preventive
    Include the purpose of the privacy notice in the privacy notice. CC ID 13526 Privacy protection for information and data Preventive
    Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503 Privacy protection for information and data Preventive
    Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460 Privacy protection for information and data Preventive
    Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461 Privacy protection for information and data Preventive
    Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459 Privacy protection for information and data Preventive
    Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455 Privacy protection for information and data Preventive
    Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456 Privacy protection for information and data Preventive
    Include the personal data collection categories in the privacy notice. CC ID 13457 Privacy protection for information and data Preventive
    Include disclosure exceptions in the privacy notice. CC ID 13447 Privacy protection for information and data Preventive
    Include the types of personal data disclosed in the privacy notice. CC ID 13446 Privacy protection for information and data Preventive
    Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458 Privacy protection for information and data Preventive
    Specify the time frame that notice will be given. CC ID 00385 Privacy protection for information and data Preventive
    Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468 Privacy protection for information and data Preventive
    Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 Privacy protection for information and data Preventive
    Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466 Privacy protection for information and data Preventive
    Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472 Privacy protection for information and data Preventive
    Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471 Privacy protection for information and data Preventive
    Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470 Privacy protection for information and data Preventive
    Establish, implement, and maintain opt-out notices, as necessary. CC ID 13448 Privacy protection for information and data Preventive
    Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 Privacy protection for information and data Preventive
    Include the opt out method for data subjects in the opt-out notice. CC ID 13467 Privacy protection for information and data Preventive
    Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 Privacy protection for information and data Preventive
    Explain the right to opt out in the opt-out notice. CC ID 13462 Privacy protection for information and data Preventive
    Include the organization's right to share personal data in the opt-out notice. CC ID 13450 Privacy protection for information and data Preventive
    Provide the data subject with a notice of participation procedures. CC ID 06241 Privacy protection for information and data Preventive
    Publish a description of activities about processing personal data in an official register. CC ID 00379 Privacy protection for information and data Preventive
    Establish and maintain a records request manual. CC ID 00381 Privacy protection for information and data Preventive
    Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 Privacy protection for information and data Preventive
    Define what is included in registration notices. CC ID 00386 Privacy protection for information and data Preventive
    Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 Privacy protection for information and data Preventive
    Include a purpose specification description in the registration notice. CC ID 00388 Privacy protection for information and data Preventive
    Include the data subject category being processed in the registration notice. CC ID 00389 Privacy protection for information and data Preventive
    Include the time period for data processing in the registration notice. CC ID 00390 Privacy protection for information and data Preventive
    Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 Privacy protection for information and data Preventive
    Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 Privacy protection for information and data Preventive
    Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 Privacy protection for information and data Preventive
    Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 Privacy protection for information and data Preventive
    Disseminate and communicate the annual notification of rights to both parents and students. CC ID 12996 Privacy protection for information and data Preventive
    Include the criteria for determining what constitutes a legitimate educational interest in the annual notification of rights. CC ID 13004 Privacy protection for information and data Preventive
    Include the criteria for determining what constitutes a school official in the annual notification of rights. CC ID 13003 Privacy protection for information and data Preventive
    Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 Privacy protection for information and data Preventive
    Specify the purpose of the disclosure in the written consent. CC ID 13001 Privacy protection for information and data Preventive
    Specify which education records may be disclosed in the written consent. CC ID 13000 Privacy protection for information and data Preventive
    Document the conditions when consent is not required to disclose educational data. CC ID 00225 Privacy protection for information and data Preventive
    Record the health and safety threats of students when disclosing personal data. CC ID 12997 Privacy protection for information and data Preventive
    Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 Privacy protection for information and data Preventive
    Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 Privacy protection for information and data Preventive
    Include individual's names to whom personal data may be disclosed in the disclosure accounting record. CC ID 13027 Privacy protection for information and data Preventive
    Establish and maintain a disclosure accounting record. CC ID 13022 Privacy protection for information and data Preventive
    Include the official authorities that are allowed to disclose personal data absent consent in the disclosure accounting record. CC ID 13029 Privacy protection for information and data Preventive
    Include the legitimate interests for accessing personal data in the disclosure accounting record. CC ID 13028 Privacy protection for information and data Preventive
    Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 Privacy protection for information and data Preventive
    Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 Privacy protection for information and data Preventive
    Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 Privacy protection for information and data Preventive
    Include the disclosure date in the disclosure accounting record. CC ID 07133 Privacy protection for information and data Preventive
    Include the disclosure recipient in the disclosure accounting record. CC ID 07134 Privacy protection for information and data Preventive
    Include the disclosure purpose in the disclosure accounting record. CC ID 07135 Privacy protection for information and data Preventive
    Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 Privacy protection for information and data Preventive
    Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 Privacy protection for information and data Preventive
    Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 Privacy protection for information and data Preventive
    Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 Privacy protection for information and data Preventive
    Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 Privacy protection for information and data Preventive
    Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 Privacy protection for information and data Preventive
    Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586 Privacy protection for information and data Preventive
    Make telephone directory information available to the public. CC ID 08698 Privacy protection for information and data Preventive
    Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400 Privacy protection for information and data Preventive
    Establish and maintain a privacy policy. CC ID 06281
    [{security plans} Review and approve the security and privacy plans for the system and the environment of operation. TASK S-6
    {security plans} Review and approve the security and privacy plans for the system and the environment of operation. TASK S-6]
    Privacy protection for information and data Preventive
    Document privacy policies in clearly written and easily understood language. CC ID 00376 Privacy protection for information and data Detective
    Define what is included in the privacy policy. CC ID 00404 Privacy protection for information and data Preventive
    Define the information being collected in the privacy policy. CC ID 13115 Privacy protection for information and data Preventive
    Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110 Privacy protection for information and data Preventive
    Include the means by which information is collected in the privacy policy. CC ID 13114 Privacy protection for information and data Preventive
    Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368 Privacy protection for information and data Corrective
    Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111 Privacy protection for information and data Preventive
    Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367 Privacy protection for information and data Corrective
    Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366 Privacy protection for information and data Preventive
    Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365 Privacy protection for information and data Preventive
    Include a complaint form in the privacy policy. CC ID 12364 Privacy protection for information and data Preventive
    Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405 Privacy protection for information and data Preventive
    Include the processing purpose in the privacy policy. CC ID 00406 Privacy protection for information and data Preventive
    Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117
    [{security plans} Document the controls for the system and environment of operation in security and privacy plans. TASK S-4
    {security plans} Document the controls for the system and environment of operation in security and privacy plans. TASK S-4]
    Privacy protection for information and data Preventive
    Include the data subject categories being processed in the privacy policy. CC ID 00407 Privacy protection for information and data Preventive
    Define the retention period for collected information in the privacy policy. CC ID 13116 Privacy protection for information and data Preventive
    Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 Privacy protection for information and data Preventive
    Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 Privacy protection for information and data Preventive
    Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410 Privacy protection for information and data Preventive
    Include instructions on how to opt-out in the privacy policy. CC ID 00411 Privacy protection for information and data Preventive
    Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363 Privacy protection for information and data Preventive
    Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390 Privacy protection for information and data Preventive
    Post the privacy policy in an easily seen location. CC ID 00401 Privacy protection for information and data Preventive
    Define who will receive the privacy policy. CC ID 00402 Privacy protection for information and data Preventive
    Update the privacy policy, as necessary. CC ID 06259
    [{security plan} {privacy plan} {risk assessment report} Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. Task M-4]
    Privacy protection for information and data Preventive
    Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944 Privacy protection for information and data Preventive
    Establish and maintain personal data Choice and Consent program. CC ID 12569 Privacy protection for information and data Preventive
    Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 Privacy protection for information and data Preventive
    Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 Privacy protection for information and data Preventive
    Include procedures for revoking authorization of consent to use personal data in the disclosure authorization. CC ID 13438 Privacy protection for information and data Preventive
    Include the recipients of the disclosed personal data in the disclosure authorization. CC ID 13440 Privacy protection for information and data Preventive
    Include the signature of the data subject and the signing date in the disclosure authorization. CC ID 13439 Privacy protection for information and data Preventive
    Include the identity of the data subject in the disclosure authorization form. CC ID 13436 Privacy protection for information and data Preventive
    Include the types of personal data to be disclosed in the disclosure authorization. CC ID 13442 Privacy protection for information and data Preventive
    Include how personal data will be used in the disclosure authorization. CC ID 13441 Privacy protection for information and data Preventive
    Include agreement termination information in the disclosure authorization. CC ID 13437 Privacy protection for information and data Preventive
    Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data accountability program. CC ID 13432 Privacy protection for information and data Preventive
    Submit a safe harbor self-certification letter. CC ID 06871 Privacy protection for information and data Preventive
    Establish and maintain Binding Corporate Rules for the international transfers of personal data. CC ID 12584 Privacy protection for information and data Preventive
    Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 Privacy protection for information and data Preventive
    Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 Privacy protection for information and data Preventive
    Include data subject's rights in the Binding Corporate Rules. CC ID 12596 Privacy protection for information and data Preventive
    Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 Privacy protection for information and data Preventive
    Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 Privacy protection for information and data Preventive
    Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 Privacy protection for information and data Preventive
    Include the mechanisms for reporting legal requirements causing adverse effects on protecting personal data in the Binding Corporate Rules. CC ID 12620 Privacy protection for information and data Preventive
    Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 Privacy protection for information and data Preventive
    Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 Privacy protection for information and data Preventive
    Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 Privacy protection for information and data Preventive
    Include complaint procedures in the Binding Corporate Rules. CC ID 12613 Privacy protection for information and data Preventive
    Include the data transfers in the Binding Corporate Rules. CC ID 12590 Privacy protection for information and data Preventive
    Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 Privacy protection for information and data Preventive
    Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 Privacy protection for information and data Preventive
    Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 Privacy protection for information and data Preventive
    Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 Privacy protection for information and data Preventive
    Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 Privacy protection for information and data Preventive
    Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 Privacy protection for information and data Preventive
    Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 Privacy protection for information and data Preventive
    Establish and maintain Data Processing Contracts, as necessary. CC ID 12650 Privacy protection for information and data Preventive
    Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 Privacy protection for information and data Preventive
    Include the stipulation of notifying the data controller of legal requirements prior to processing personal data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 Privacy protection for information and data Preventive
    Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 Privacy protection for information and data Preventive
    Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 Privacy protection for information and data Preventive
    Include the stipulation that Report on Compliance will be made available in the Data Processing Contract. CC ID 12678 Privacy protection for information and data Preventive
    Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 Privacy protection for information and data Preventive
    Include the stipulation that copies of personal data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 Privacy protection for information and data Preventive
    Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 Privacy protection for information and data Preventive
    Establish and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Privacy protection for information and data Preventive
    Document the law that requires personal data to be collected. CC ID 00103 Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data use change of purpose procedures. CC ID 00106 Privacy protection for information and data Preventive
    Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 Privacy protection for information and data Preventive
    Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 Privacy protection for information and data Preventive
    Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 Privacy protection for information and data Preventive
    Document personal data that is disclosed for an acceptable secondary purpose. CC ID 00124 Privacy protection for information and data Preventive
    Establish and maintain personal data access procedures. CC ID 00414 Privacy protection for information and data Preventive
    Require personal data access requests to be in writing, unless the requester is unable. CC ID 00420 Privacy protection for information and data Preventive
    Define what is to be included in a personal data access request. CC ID 08699 Privacy protection for information and data Preventive
    Deliver the records described in the personal data access request, as necessary. CC ID 08701 Privacy protection for information and data Preventive
    Establish and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 Privacy protection for information and data Preventive
    Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 Privacy protection for information and data Preventive
    Notify third parties of personal data access requests that relates to the third party. CC ID 08703 Privacy protection for information and data Preventive
    Establish and maintain personal data use limitation procedures. CC ID 00128 Privacy protection for information and data Preventive
    Establish and maintain a record of processing activities when processing personal data. CC ID 12636 Privacy protection for information and data Preventive
    Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 Privacy protection for information and data Preventive
    Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 Privacy protection for information and data Preventive
    Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 Privacy protection for information and data Preventive
    Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 Privacy protection for information and data Preventive
    Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 Privacy protection for information and data Preventive
    Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 Privacy protection for information and data Preventive
    Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 Privacy protection for information and data Preventive
    Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 Privacy protection for information and data Preventive
    Define and implement valid authorization control requirements. CC ID 06258 Privacy protection for information and data Preventive
    Define security breach notification requirement exceptions. CC ID 04797 Privacy protection for information and data Preventive
    Define what personal data is not required to be disclosed absent consent. CC ID 00134 Privacy protection for information and data Preventive
    Define the exceptions to disclosure absent consent. CC ID 00135 Privacy protection for information and data Preventive
    Define opt-out exceptions for disclosing personal data. CC ID 00159 Privacy protection for information and data Preventive
    Define how a data subject may give consent. CC ID 00160 Privacy protection for information and data Preventive
    Disclose personal data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 Privacy protection for information and data Detective
    Establish and maintain personal data retention procedures. CC ID 00167 Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data disposition procedures. CC ID 13498 Privacy protection for information and data Preventive
    Document the redisclosing personal data exceptions. CC ID 00170 Privacy protection for information and data Preventive
    Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 Privacy protection for information and data Preventive
    Establish and maintain personal data disclosure procedures. CC ID 00133 Privacy protection for information and data Preventive
    Establish and maintain personal data request denial procedures. CC ID 00434 Privacy protection for information and data Preventive
    Document that a personal data search was conducted in case the personal data cannot be found. CC ID 06953 Privacy protection for information and data Preventive
    Include cookie management in the privacy framework. CC ID 13809 Privacy protection for information and data Preventive
    Establish and maintain cookie management procedures. CC ID 13810 Privacy protection for information and data Preventive
    Establish and maintain a personal data collection program. CC ID 06487 Privacy protection for information and data Preventive
    Establish and maintain personal data collection limitation boundaries. CC ID 00507 Privacy protection for information and data Preventive
    Establish and maintain a personal data use policy. CC ID 00076 Privacy protection for information and data Preventive
    Post the collection purpose. CC ID 00101 Privacy protection for information and data Preventive
    Document each individual's personal data collection consent preferences. CC ID 06945 Privacy protection for information and data Preventive
    Establish and maintain a personal data definition. CC ID 00028 Privacy protection for information and data Preventive
    Include the number of children in the personal data definition. CC ID 13759 Privacy protection for information and data Preventive
    Include the individual's religion in the personal data definition. CC ID 13765 Privacy protection for information and data Preventive
    Include an individual's political party affiliation in the personal data definition. CC ID 13764 Privacy protection for information and data Preventive
    Include an individual's license plate number in the personal data definition. CC ID 13763 Privacy protection for information and data Preventive
    Include an individual's account balances in the personal data definition. CC ID 13770 Privacy protection for information and data Preventive
    Include an individual's logon credentials in the personal data definition. CC ID 13771 Privacy protection for information and data Preventive
    Include an individual's military identification number in the personal data definition. CC ID 13083 Privacy protection for information and data Preventive
    Refrain from including publicly available information in the personal data definition. CC ID 13084 Privacy protection for information and data Preventive
    Notify parents of what information is collected from children. CC ID 00040 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data collection policy. CC ID 00029 Privacy protection for information and data Preventive
    Provide the data subject with information about the data controller during the collection process. CC ID 00023 Privacy protection for information and data Preventive
    Provide the data subject with the data collector's name and contact information. CC ID 00024 Privacy protection for information and data Preventive
    Provide the data subject with the name of the data collector who will hold the collected personal data. CC ID 00025 Privacy protection for information and data Preventive
    Provide the data subject with the third party processor's contact information when the data controller is not processing the personal data. CC ID 00026 Privacy protection for information and data Preventive
    Establish and maintain a data handling program. CC ID 13427 Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Preventive
    Establish and maintain data and information confidentiality policies. CC ID 00361 Privacy protection for information and data Preventive
    Establish and maintain suspicious document procedures. CC ID 04852 Privacy protection for information and data Detective
    Establish and maintain caller identification controls. CC ID 04790 Privacy protection for information and data Preventive
    Establish and maintain data handling procedures. CC ID 11756 Privacy protection for information and data Preventive
    Define personal data that falls under breach notification rules. CC ID 00800 Privacy protection for information and data Preventive
    Define an out of scope privacy breach. CC ID 04677 Privacy protection for information and data Preventive
    Establish and maintain a personal data transfer program. CC ID 00307 Privacy protection for information and data Preventive
    Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351 Privacy protection for information and data Preventive
    Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 Privacy protection for information and data Preventive
    Document transfer disagreements by the data subject in writing. CC ID 00348 Privacy protection for information and data Preventive
    Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 Privacy protection for information and data Preventive
    Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336 Privacy protection for information and data Preventive
    Establish and maintain Internet interactivity data transfer procedures. CC ID 06949 Privacy protection for information and data Preventive
    Establish and maintain a privacy impact assessment, as necessary. CC ID 13712 Privacy protection for information and data Preventive
    File privacy rights violation complaints in writing. CC ID 00477 Privacy protection for information and data Corrective
    Establish and maintain a privacy dispute resolution program. CC ID 12526 Privacy protection for information and data Preventive
    Include potential remedies in the privacy dispute resolution program. CC ID 12531 Privacy protection for information and data Preventive
    Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 Privacy protection for information and data Preventive
    Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 Privacy protection for information and data Preventive
    Document unresolved challenges. CC ID 13568 Privacy protection for information and data Preventive
    Establish and maintain an accuracy resolution policy. CC ID 00460 Privacy protection for information and data Preventive
    Document disagreements as to whether personal data is complete and accurate. CC ID 06952 Privacy protection for information and data Preventive
    Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 Privacy protection for information and data Preventive
    Include the allegations against the organization in the notice of investigation. CC ID 13031 Privacy protection for information and data Preventive
    Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 Privacy protection for information and data Corrective
    Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 Privacy protection for information and data Detective
    Define the organization's liability based on the applicable law. CC ID 00504 Privacy protection for information and data Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Privacy protection for information and data Preventive
    Define the appeal process based on the applicable law. CC ID 00506 Privacy protection for information and data Preventive
    Provide notice of proposed penalties. CC ID 06216 Privacy protection for information and data Preventive
  • Human Resources Management
    15
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Monitoring and measurement Detective
    Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 Physical and environmental protection Preventive
    Direct each employee to be responsible for their identification card or badge. CC ID 12332 Physical and environmental protection Preventive
    Assign employees the responsibility for controlling their identification badges. CC ID 12333 Physical and environmental protection Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267 Human Resources management Preventive
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660
    [Identify and assign individuals to specific roles associated with security and privacy risk management. TASK P-1]
    Human Resources management Preventive
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources management Preventive
    Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069 Systems design, build, and implementation Preventive
    Refrain from discriminating against data subjects who have refrained from granting an authorization of consent to use personal data. CC ID 13435 Privacy protection for information and data Preventive
    Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 Privacy protection for information and data Preventive
    Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 Privacy protection for information and data Preventive
    Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647 Privacy protection for information and data Preventive
    Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 Privacy protection for information and data Preventive
    Review compliance with the organization's privacy objectives. CC ID 13490
    [{security requirements} Allocate security and privacy requirements to the system and to the environment of operation. TASK P-17
    {are acceptable} {security posture} Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable. Task M-6]
    Privacy protection for information and data Detective
    Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 Privacy protection for information and data Preventive
  • IT Impact Zone
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
  • Investigate
    15
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Audits and risk management Detective
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Audits and risk management Preventive
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925 Monitoring and measurement Corrective
    Monitor and evaluate the effectiveness of detection tools. CC ID 13505 Monitoring and measurement Detective
    Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 Monitoring and measurement Detective
    Review retail payment service reports, as necessary. CC ID 13545 Monitoring and measurement Detective
    Rank discovered vulnerabilities. CC ID 11940 Monitoring and measurement Detective
    Inspect device surfaces to detect tampering. CC ID 11868 Physical and environmental protection Detective
    Inspect device surfaces to detect unauthorized substitution. CC ID 11869 Physical and environmental protection Detective
    Detect anomalies in physical barriers. CC ID 13533 Physical and environmental protection Detective
    Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 Physical and environmental protection Detective
    Analyze requirements for processing personal data in contracts. CC ID 12550 Privacy protection for information and data Detective
    Confirm the data quality of personal data collected from third parties. CC ID 13510 Privacy protection for information and data Detective
    Review the methods for collecting personal data, as necessary. CC ID 13511 Privacy protection for information and data Detective
    Perform an identity check prior to approving an account change request. CC ID 13670 Privacy protection for information and data Detective
  • Log Management
    35
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637
    [Develop and implement an organization-wide strategy for continuously monitoring control effectiveness. TASK P-7]
    Monitoring and measurement Detective
    Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312 Monitoring and measurement Preventive
    Document and communicate the log locations to the owning entity. CC ID 12047 Monitoring and measurement Preventive
    Make logs available for review by the owning entity. CC ID 12046 Monitoring and measurement Preventive
    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 Monitoring and measurement Detective
    Establish and maintain event logging procedures. CC ID 01335 Monitoring and measurement Detective
    Enable logging for all systems that meet a traceability criteria. CC ID 00640 Monitoring and measurement Detective
    Analyze firewall logs for the correct capturing of data. CC ID 00549 Monitoring and measurement Detective
    Define the frequency to capture and log events. CC ID 06313 Monitoring and measurement Preventive
    Include logging frequencies in the event logging procedures. CC ID 00642 Monitoring and measurement Preventive
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 Monitoring and measurement Preventive
    Protect the event logs from failure. CC ID 06290 Monitoring and measurement Preventive
    Review event logs, Intrusion Detection System reports, security incident tracking reports, and other security logs regularly. CC ID 00596 Monitoring and measurement Detective
    Eliminate false positives in event logs, intrusion detection system reports, security incident tracking reports, and other security logs. CC ID 07047 Monitoring and measurement Corrective
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 Monitoring and measurement Detective
    Reproduce the event log if a log failure is captured. CC ID 01426 Monitoring and measurement Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Monitoring and measurement Detective
    Log account usage to determine dormant accounts. CC ID 12118 Monitoring and measurement Detective
    Log account usage times. CC ID 07099 Monitoring and measurement Detective
    Log Internet Protocol addresses used during logon. CC ID 07100 Monitoring and measurement Detective
    Establish and maintain a visitor log. CC ID 00715 Physical and environmental protection Preventive
    Record the visitor's name in the visitor log. CC ID 00557 Physical and environmental protection Preventive
    Record the visitor's organization in the visitor log. CC ID 12121 Physical and environmental protection Preventive
    Record the visitor's acceptable access areas in the visitor log. CC ID 12237 Physical and environmental protection Preventive
    Retain all records in the visitor log as prescribed by law. CC ID 00572 Physical and environmental protection Preventive
    Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 Physical and environmental protection Preventive
    Log when the vault is accessed. CC ID 06725 Physical and environmental protection Detective
    Log when the cabinet is accessed. CC ID 11674 Physical and environmental protection Detective
    Store facility access logs in off-site storage. CC ID 06958 Physical and environmental protection Preventive
    Log the transfer of removable storage media. CC ID 12322 Physical and environmental protection Preventive
    Log the transferring of custody of removable storage media. CC ID 12321 Physical and environmental protection Preventive
    Log the disclosure of personal data. CC ID 06628 Privacy protection for information and data Preventive
    Log the modification of personal data. CC ID 11844 Privacy protection for information and data Preventive
    Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 Privacy protection for information and data Detective
    Log dates for account name changes or address changes. CC ID 04876 Privacy protection for information and data Detective
  • Monitor and Evaluate Occurrences
    62
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze organizational objectives, functions, and activities. CC ID 00598 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863
    [{security posture} Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. TASK M-1]
    Leadership and high level objectives Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862
    [{security posture} Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. TASK M-1]
    Leadership and high level objectives Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880
    [{security posture} Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. TASK M-1]
    Leadership and high level objectives Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879
    [{security posture} Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. TASK M-1]
    Leadership and high level objectives Preventive
    Establish and maintain intrusion management operations. CC ID 00580 Monitoring and measurement Preventive
    Monitor systems for inappropriate usage and other security violations. CC ID 00585 Monitoring and measurement Detective
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225 Monitoring and measurement Detective
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitoring and measurement Detective
    Monitor systems for unauthorized data transfers. CC ID 12971 Monitoring and measurement Preventive
    Monitor systems for access to restricted data or restricted information. CC ID 04721 Monitoring and measurement Detective
    Detect unauthorized access to systems. CC ID 06798 Monitoring and measurement Detective
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitoring and measurement Detective
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitoring and measurement Detective
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitoring and measurement Detective
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitoring and measurement Preventive
    Monitor and evaluate system performance. CC ID 00651 Monitoring and measurement Detective
    Monitor for and react to when suspicious activities are detected. CC ID 00586 Monitoring and measurement Detective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 Monitoring and measurement Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 Monitoring and measurement Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 Monitoring and measurement Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 Monitoring and measurement Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 Monitoring and measurement Corrective
    Monitor and review retail payment activities, as necessary. CC ID 13541 Monitoring and measurement Detective
    Establish and maintain an automated configuration monitoring system, as necessary. CC ID 07058 Monitoring and measurement Detective
    Monitor for and report when a software configuration is updated. CC ID 06746 Monitoring and measurement Detective
    Escalate the report when the software configuration is updated absent authorization. CC ID 04886 Monitoring and measurement Detective
    Monitor for firmware updates absent authorization. CC ID 10675 Monitoring and measurement Detective
    Implement file integrity monitoring. CC ID 01205 Monitoring and measurement Detective
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitoring and measurement Preventive
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitoring and measurement Preventive
    Monitor and evaluate user account activity. CC ID 07066 Monitoring and measurement Detective
    Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 Monitoring and measurement Detective
    Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 Monitoring and measurement Detective
    Log account usage durations. CC ID 12117 Monitoring and measurement Detective
    Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 Monitoring and measurement Detective
    Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 Monitoring and measurement Corrective
    Create a plan of action to correct control deficiencies identified in an audit. CC ID 00675
    [{security plan} {privacy plan} {risk assessment report} Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. Task M-4]
    Monitoring and measurement Detective
    Monitor the activities to correct control deficiencies identified in an audit. CC ID 11645
    [Conduct initial remediation actions on the controls and reassess remediated controls. TASK A-5]
    Monitoring and measurement Detective
    Report known security issues to the Board of Directors or Senior Executive Committee on a regular basis. CC ID 12329
    [Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk. TASK R-5]
    Monitoring and measurement Preventive
    Establish and maintain an anti-tamper protection program. CC ID 10638 Physical and environmental protection Detective
    Monitor for evidence of when tampering indicators are being identified. CC ID 11905 Physical and environmental protection Detective
    Inspect for tampering at random intervals. CC ID 10640 Physical and environmental protection Detective
    Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 Physical and environmental protection Preventive
    Monitor for unauthorized physical access at physical entry points. CC ID 06797 Physical and environmental protection Detective
    Monitor entry through all physical entry points. CC ID 01638 Physical and environmental protection Detective
    Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 Physical and environmental protection Preventive
    Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 Physical and environmental protection Detective
    Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 Physical and environmental protection Detective
    Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 Physical and environmental protection Detective
    Monitor for alarmed security doors being propped open. CC ID 06684 Physical and environmental protection Detective
    Monitor the location of distributed Information Technology assets. CC ID 11684 Physical and environmental protection Detective
    Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 Physical and environmental protection Corrective
    Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 Systems design, build, and implementation Detective
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Privacy protection for information and data Preventive
    Establish and maintain suspicious user account activity procedures. CC ID 04854 Privacy protection for information and data Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 Privacy protection for information and data Corrective
    Review accounts that are changed for additional user requests. CC ID 11846 Privacy protection for information and data Detective
    Review monitored websites for data leakage. CC ID 10593 Privacy protection for information and data Detective
    Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 Privacy protection for information and data Preventive
    Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 Privacy protection for information and data Preventive
    Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 Privacy protection for information and data Preventive
  • Physical and Environmental Protection
    111
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze and evaluate engineering systems. CC ID 13080 Physical and environmental protection Preventive
    Analyze and evaluate facilities and their structural elements. CC ID 13079 Physical and environmental protection Preventive
    Analyze and evaluate mechanical systems, as necessary. CC ID 13078 Physical and environmental protection Preventive
    Protect assets from tampering or unapproved substitution. CC ID 11902 Physical and environmental protection Preventive
    Protect the facility from crime. CC ID 06347 Physical and environmental protection Preventive
    Protect facilities from eavesdropping. CC ID 02222 Physical and environmental protection Preventive
    Inspect telephones for eavesdropping devices. CC ID 02223 Physical and environmental protection Detective
    Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 Physical and environmental protection Preventive
    Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 Physical and environmental protection Preventive
    Establish clear zones around any sensitive facilities. CC ID 02214 Physical and environmental protection Preventive
    Inspect items brought into the facility. CC ID 06341 Physical and environmental protection Preventive
    Maintain all physical security systems. CC ID 02206 Physical and environmental protection Preventive
    Maintain all security alarm systems. CC ID 11669 Physical and environmental protection Preventive
    Control physical access to (and within) the facility. CC ID 01329 Physical and environmental protection Preventive
    Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 Physical and environmental protection Preventive
    Secure physical entry points with physical access controls or security guards. CC ID 01640 Physical and environmental protection Detective
    Configure the access control system to grant access only during authorized working hours. CC ID 12325 Physical and environmental protection Preventive
    Check the visitor's stated identity against a provided government issued identification. CC ID 06701 Physical and environmental protection Preventive
    Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 Physical and environmental protection Corrective
    Issue photo identification badges to all employees. CC ID 12326 Physical and environmental protection Preventive
    Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 Physical and environmental protection Preventive
    Manage visitor identification inside the facility. CC ID 11670 Physical and environmental protection Preventive
    Secure unissued visitor identification badges. CC ID 06712 Physical and environmental protection Preventive
    Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 Physical and environmental protection Preventive
    Restrict access to the badge system to authorized personnel. CC ID 12043 Physical and environmental protection Preventive
    Enforce dual control for badge assignments. CC ID 12328 Physical and environmental protection Preventive
    Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 Physical and environmental protection Preventive
    Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 Physical and environmental protection Preventive
    Prevent tailgating through physical entry points. CC ID 06685 Physical and environmental protection Preventive
    Use locks to protect against unauthorized physical access. CC ID 06342 Physical and environmental protection Preventive
    Install and maintain security lighting at all physical entry points. CC ID 02205 Physical and environmental protection Preventive
    Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 Physical and environmental protection Preventive
    Secure the loading dock with physical access controls or security guards. CC ID 06703 Physical and environmental protection Preventive
    Isolate loading areas from information processing facilities, if possible. CC ID 12028 Physical and environmental protection Preventive
    Screen incoming mail and deliveries. CC ID 06719 Physical and environmental protection Preventive
    Protect access to the facility's mechanical systems area. CC ID 02212 Physical and environmental protection Preventive
    Establish and maintain elevator security guidelines. CC ID 02232 Physical and environmental protection Preventive
    Establish and maintain stairwell security guidelines. CC ID 02233 Physical and environmental protection Preventive
    Establish and maintain glass opening security guidelines. CC ID 02234 Physical and environmental protection Preventive
    Establish a security room, if necessary. CC ID 00738 Physical and environmental protection Preventive
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749 Physical and environmental protection Preventive
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and environmental protection Preventive
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and environmental protection Preventive
    Lock all lockable equipment cabinets. CC ID 11673 Physical and environmental protection Detective
    Establish and maintain vault physical security standards. CC ID 02203 Physical and environmental protection Preventive
    Monitor physical entry point alarms. CC ID 01639 Physical and environmental protection Detective
    Build and maintain fencing, as necessary. CC ID 02235 Physical and environmental protection Preventive
    Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 Physical and environmental protection Preventive
    Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 Physical and environmental protection Preventive
    Establish and maintain physical security controls for distributed Information Technology assets. CC ID 00718 Physical and environmental protection Preventive
    Restrict physical access to distributed Information Technology assets. CC ID 11865 Physical and environmental protection Preventive
    House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 Physical and environmental protection Preventive
    Protect electronic storage media with physical access controls. CC ID 00720 Physical and environmental protection Preventive
    Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 Physical and environmental protection Preventive
    Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 Physical and environmental protection Preventive
    Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 Physical and environmental protection Preventive
    Protect the combinations for all combination locks. CC ID 02199 Physical and environmental protection Preventive
    Establish and maintain eavesdropping protection for vaults. CC ID 02231 Physical and environmental protection Preventive
    Protect distributed Information Technology assets against theft. CC ID 06799 Physical and environmental protection Preventive
    Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 Physical and environmental protection Preventive
    Control the removal of assets through physical entry points and physical exit points. CC ID 11681 Physical and environmental protection Preventive
    Establish, implement, and maintain on-site physical controls for all distributed Information Technology assets. CC ID 04820 Physical and environmental protection Preventive
    Establish and maintain off-site physical controls for all distributed Information Technology assets. CC ID 04539 Physical and environmental protection Preventive
    Attach asset location technologies to distributed Information Technology assets. CC ID 10626 Physical and environmental protection Detective
    Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 Physical and environmental protection Preventive
    Unpair missing Bluetooth devices. CC ID 12428 Physical and environmental protection Corrective
    Secure workstations to desks with security cables. CC ID 04724 Physical and environmental protection Preventive
    Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 Physical and environmental protection Preventive
    Implement mobile device security guidelines. CC ID 06353 Physical and environmental protection Preventive
    Refrain from pairing bluetooth devices in unsecured areas. CC ID 12429 Physical and environmental protection Preventive
    Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 Physical and environmental protection Preventive
    Position computer monitors in such a way that unauthorized personnel are prevented from viewing them. CC ID 01437 Physical and environmental protection Preventive
    Identify customer property within the organizational facility. CC ID 06612 Physical and environmental protection Preventive
    Protect customer property under the care of the organization. CC ID 11685 Physical and environmental protection Preventive
    Provide storage media shelving capable of bearing all potential loads. CC ID 11400 Physical and environmental protection Preventive
    Establish and maintain proper aircraft security. CC ID 02213 Physical and environmental protection Preventive
    Establish parking requirements for vehicles. CC ID 02218 Physical and environmental protection Preventive
    Establish and maintain proper container security. CC ID 02208 Physical and environmental protection Preventive
    Inspect the physical integrity of all containers before loading the containers. CC ID 02209 Physical and environmental protection Detective
    Lock closable storage containers. CC ID 06307 Physical and environmental protection Preventive
    Control the issuance of payment cards. CC ID 06403 Physical and environmental protection Preventive
    Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 Physical and environmental protection Preventive
    Deliver payment cards to customers using secure methods. CC ID 06405 Physical and environmental protection Preventive
    Establish and maintain physical security of assets used for publicity. CC ID 06724 Physical and environmental protection Preventive
    Install and protect network cabling. CC ID 08624 Physical and environmental protection Preventive
    Install and protect fiber optic cable, as necessary. CC ID 08625 Physical and environmental protection Preventive
    Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 Physical and environmental protection Preventive
    Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 Physical and environmental protection Detective
    Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 Physical and environmental protection Preventive
    Install network cable in a way that allows ease of inspecting. CC ID 08626 Physical and environmental protection Preventive
    Inspect network cabling at distances determined by security classification. CC ID 08644 Physical and environmental protection Detective
    Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 Physical and environmental protection Preventive
    Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 Physical and environmental protection Preventive
    Label each end of a network cable run. CC ID 08632 Physical and environmental protection Preventive
    Terminate approved network cables on the patch panel. CC ID 08633 Physical and environmental protection Preventive
    Prevent installing network cabling inside walls shared with third parties. CC ID 08648 Physical and environmental protection Preventive
    Install network cabling specifically for maintenance purposes. CC ID 10613 Physical and environmental protection Preventive
    Install and maintain network jacks and outlet boxes. CC ID 08635 Physical and environmental protection Preventive
    Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 Physical and environmental protection Preventive
    Label network cabling outlet boxes. CC ID 08631 Physical and environmental protection Preventive
    Implement logical controls to enable network jacks, as necessary. CC ID 11934 Physical and environmental protection Preventive
    Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 Physical and environmental protection Preventive
    Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 Physical and environmental protection Preventive
    Install and maintain network patch panels. CC ID 08636 Physical and environmental protection Preventive
    Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 Physical and environmental protection Preventive
    Assign access to network patch panels on a need to know basis. CC ID 08638 Physical and environmental protection Preventive
    Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 Physical and environmental protection Preventive
    Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 Physical and environmental protection Preventive
    Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 Physical and environmental protection Preventive
    Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 Physical and environmental protection Preventive
    Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 Physical and environmental protection Preventive
  • Process or Activity
    53
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Audits and risk management Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Audits and risk management Detective
    Review and approve the use of continuous security management systems. CC ID 13181 Monitoring and measurement Preventive
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 Monitoring and measurement Preventive
    Implement physical identification processes. CC ID 13715 Physical and environmental protection Preventive
    Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 Physical and environmental protection Preventive
    Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 Physical and environmental protection Preventive
    Include identity proofing processes in the identification issuance procedures. CC ID 06597 Physical and environmental protection Preventive
    Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 Physical and environmental protection Preventive
    Remote wipe any distributed Information Technology asset reported lost or stolen. CC ID 12197 Physical and environmental protection Corrective
    Remove dormant systems from the network, as necessary. CC ID 13727 Physical and environmental protection Corrective
    Control physical access to network cables. CC ID 00723 Physical and environmental protection Preventive
    Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 Operational management Preventive
    Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 Records management Detective
    Review the electronic storage media for the information the organization collects and processes. CC ID 13009 Records management Detective
    Assess the continuity requirements during the planning and development stage for new products and services. CC ID 12779 Systems design, build, and implementation Preventive
    Require a data protection impact assessment when profiling the data subject. CC ID 12680 Privacy protection for information and data Detective
    Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 Privacy protection for information and data Preventive
    Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 Privacy protection for information and data Preventive
    Provide the data subject with the data retention period for personal data. CC ID 12587 Privacy protection for information and data Preventive
    Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589 Privacy protection for information and data Preventive
    Provide the data subject with the adequacy decision. CC ID 12586 Privacy protection for information and data Preventive
    Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585 Privacy protection for information and data Preventive
    Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608 Privacy protection for information and data Preventive
    Notify the data subject of the right to data portability. CC ID 12603 Privacy protection for information and data Preventive
    Provide the data subject with information about the right to erasure. CC ID 12602 Privacy protection for information and data Preventive
    Provide shareholders access to electronic messages via electronic means. CC ID 11855 Privacy protection for information and data Preventive
    Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614 Privacy protection for information and data Preventive
    Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 Privacy protection for information and data Preventive
    Allow affected third parties to consent or object to a personal data access request. CC ID 08704 Privacy protection for information and data Preventive
    Refrain from processing personal data if the personal data is involved in a legal claim. CC ID 12668 Privacy protection for information and data Preventive
    Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 Privacy protection for information and data Detective
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 Privacy protection for information and data Preventive
    Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 Privacy protection for information and data Preventive
    Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 Privacy protection for information and data Preventive
    Rely upon the warrant of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 Privacy protection for information and data