0003165
United Arab Emirates Federal Law No. (1) of 2006 On Electronic Commerce and Transactions
Federal Supreme Council
Bill or Act
Free
Federal Law No. (1) of 2006 On Electronic Commerce and Transactions
United Arab Emirates Federal Law No. (1) of 2006 On Electronic Commerce and Transactions
2006-01-30
The document as a whole was last reviewed and released on 2020-04-16T00:00:00-0700.
0003165
Free
Federal Supreme Council
Bill or Act
Federal Law No. (1) of 2006 On Electronic Commerce and Transactions
United Arab Emirates Federal Law No. (1) of 2006 On Electronic Commerce and Transactions
2006-01-30
The document as a whole was last reviewed and released on 2020-04-16T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within United Arab Emirates Federal Law No. (1) of 2006 On Electronic Commerce and Transactions that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for United Arab Emirates Federal Law No. (1) of 2006 On Electronic Commerce and Transactions are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [A Signatory shall: without undue delay, notify concerned persons if: the Signatory becomes aware that the security of its Signature Creation Device has been compromised; Article (19) One:(3)(a) A Signatory shall: without undue delay, notify concerned persons if: the circumstances known to the Signatory give rise to a substantial risk that the security of the Signature Creation Device may have been compromised; and Article (19) One:(3)(b)] | Establish/Maintain Documentation | Preventive | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 | Establish/Maintain Documentation | Detective | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 [A Certification Service Provider shall: provide a means for Signatories to give notice that the Signature Creation Device has been compromised and ensure the availability of a timely signature revocation service; Article (21) One:(d)] | Establish/Maintain Documentation | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: any limitation on the purpose or value for which the Signature Creation Device may be used; Article (21) One:(c)(4) An Electronic Attestation Certificate shall state: any limitations on the purposes or value for which the Signature Creation Device or the Electronic Attestation Certificate may be used; Article (21) Three:(d)] | Establish/Maintain Documentation | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: such information, if any, is retained as enables the identification of the origin and destination of the Data Message and the date and time when it was sent or received Article (5)(1)(c)] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 [{not been received} Where the Originator has asked for an acknowledgement but has not stated that the Data Message is conditional on receipt of the acknowledgment within the time specified or agreed, or if no time has been specified or agreed within a reasonable time, the Originator: may give notice to the Addressee stating that no acknowledgment has been received and specifying a reasonable time by which the acknowledgment must be received; and Article (14)(4)(a)] | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 [Where the Originator has asked for an acknowledgement but has not stated that the Data Message is conditional on receipt of the acknowledgment within the time specified or agreed, or if no time has been specified or agreed within a reasonable time, the Originator: if the acknowledgement is not received within the time specified in para (a) of this subsection, may treat the Data Message as though it has never been sent, or exercise any other rights it may have Article (14)(4)(b)] | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [A Certification Service Provider shall: act in accordance with representations made by it with respect to its policies and practices; Article (21) One:(a)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Service Management System. CC ID 13889 | Business Processes | Preventive | |
| Establish, implement, and maintain a service management program. CC ID 11388 | Establish/Maintain Documentation | Preventive | |
| Include continuity plans in the Service Management program. CC ID 13919 [A Certification Service Provider shall: provide a means for Signatories to give notice that the Signature Creation Device has been compromised and ensure the availability of a timely signature revocation service; Article (21) One:(d)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Business Processes | Preventive | |
| Assign an information owner to organizational assets, as necessary. CC ID 12729 [An Electronic Attestation Certificate shall state: that the person identified in the Electronic Attestation Certificate holds, at the relevant time, the Signature Creation Device referred to in the certificate; Article (21) Three:(b)] | Human Resources Management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
| Include detection procedures in the Incident Management program. CC ID 00588 | Establish/Maintain Documentation | Preventive | |
| Contain the incident to prevent further loss. CC ID 01751 | Process or Activity | Corrective | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Establish/Maintain Documentation | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the source of information, if identifiable; Article (10)(2)(c) In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which the Originator was identified; Article (10)(2)(d)] | Establish/Maintain Documentation | Detective | |
| Provide and display incident management contact information to customers. CC ID 06386 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: whether means exist for the Signatory to give notice pursuant to this Law; Article (21) One:(c)(6)] | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 [In assessing the evidential weight of Electronic Information, regard shall be given to: any other factor that may be relevant Article (10)(2)(e)] | Establish/Maintain Documentation | Preventive | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Records Management | Preventive | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 | Investigate | Detective | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 | Investigate | Detective | |
| Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 | Establish/Maintain Documentation | Detective | |
| Define the business scenarios that require digital forensic evidence. CC ID 08653 | Establish/Maintain Documentation | Preventive | |
| Define the circumstances for collecting digital forensic evidence. CC ID 08657 | Establish/Maintain Documentation | Preventive | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 | Investigate | Corrective | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 | Communicate | Detective | |
| Identify potential sources of digital forensic evidence. CC ID 08651 [{refrain from preventing} In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to prevent the admission of a Data Message or Electronic Signature in evidence: if it is the best evidence that the person adducing it could reasonably be expected to obtain, on the grounds that the message or signature is not original or in its original form Article (10)(1)(b)] | Investigate | Preventive | |
| Document the legal requirements for evidence collection. CC ID 08654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 | Records Management | Preventive | |
| Prepare digital forensic equipment. CC ID 08688 | Investigate | Detective | |
| Use digital forensic equipment suitable to the circumstances. CC ID 08690 | Investigate | Detective | |
| Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 | Investigate | Detective | |
| Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 | Establish/Maintain Documentation | Detective | |
| Test the operation of the digital forensic equipment prior to use. CC ID 08694 | Testing | Detective | |
| Maintain digital forensic equipment for proper performance. CC ID 08689 | Investigate | Detective | |
| Collect evidence from the incident scene. CC ID 02236 | Business Processes | Corrective | |
| Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 | Establish/Maintain Documentation | Detective | |
| Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 | Establish/Maintain Documentation | Detective | |
| Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 | Establish/Maintain Documentation | Detective | |
| Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 | Establish/Maintain Documentation | Detective | |
| Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 | Establish/Maintain Documentation | Detective | |
| Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 | Investigate | Detective | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 | Investigate | Detective | |
| Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 | Investigate | Detective | |
| Secure devices containing digital forensic evidence. CC ID 08681 | Investigate | Detective | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 | Investigate | Detective | |
| Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 | Investigate | Detective | |
| Create a system image of the device before collecting digital forensic evidence. CC ID 08673 | Investigate | Detective | |
| Shut down stand alone devices containing digital forensic evidence. CC ID 08682 | Investigate | Detective | |
| Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 | Investigate | Detective | |
| Place evidence tape over devices containing digital forensic evidence. CC ID 08683 | Investigate | Detective | |
| Perform automated processes according to business requirements. CC ID 14325 [As between the Originator and the Addressee, a Data Message is deemed to be that of the Originator if it was sent: by an Automated Information System programmed by or on behalf of the Originator to operate automatically Article (13)(2)(b)] | Business Processes | Preventive | |
| Conduct transactions, as necessary. CC ID 14378 | Business Processes | Preventive | |
| Implement data content requirements and data condition requirements for all transactions. CC ID 14410 | Business Processes | Preventive | |
| Keep code sets open until resolved. CC ID 14409 | Business Processes | Preventive | |
| Refrain from using incentives to conduct transactions. CC ID 14408 | Business Processes | Preventive | |
| Refrain from charging fees to conduct transactions. CC ID 14415 | Business Processes | Preventive | |
| Refrain from rejecting standard transactions. CC ID 14406 | Business Processes | Preventive | |
| Refrain from rejecting transactions containing extra data. CC ID 14407 | Business Processes | Preventive | |
| Translate standard transactions, as necessary. CC ID 14405 | Business Processes | Preventive | |
| Translate nonstandard transactions, as necessary. CC ID 14404 | Business Processes | Preventive | |
| Process transactions, as necessary. CC ID 14403 | Business Processes | Preventive | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Monitor and Evaluate Occurrences | Detective | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: that the Signature Creation Device is valid and has not been compromised; Article (21) One:(c)(5)] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and Environmental Protection | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 [A Signatory shall: not unlawfully use its Signature Creation Device; Article (19) One:(1)] | Technical Security | Preventive | |
| Monitor the location of distributed assets. CC ID 11684 [{disregard} In determining whether an Electronic Attestation Certificate or an Electronic Signature is legally effective, no regard shall be had to the place where the Certificate or the Electronic Signature was issued, nor to the jurisdiction in which the issuer of the Electronic Attestation Certificate or Signature had its place of business Article (23)(1)] | Monitor and Evaluate Occurrences | Detective | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
| Define the organization's liability based on the applicable law. CC ID 00504 [A Signatory shall bear the legal consequences of its failure to satisfy the requirements of Section One of this Article Article (19) Two: {electronic attestation certificate} Where an Electronic Signature is supported by a certificate, the Relying Party in respect of such signature shall bear the legal consequences of its failure to take reasonable and necessary steps to verify the validity and enforceability of the certificate, as to whether it is suspended or revoked, and of observing any limitations with respect to the certificate Article (18)(2) {not required} Nothing in this Law shall require any person or employee to use or accept information in Electronic format, but a person's consent to do so may be inferred from his affirmative conduct Article (6)(1)] | Establish/Maintain Documentation | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Establish/Maintain Documentation | Preventive | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a record classification scheme. CC ID 00914 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain electronic signature requirements. CC ID 06219 [Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: is reliable; Article (10)(3)(a) Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: is the signature of the person to whom it correlates; and Article (10)(3)(b) {be unique} {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: unique to the person using it; Article (17)(1)(a) Signatures complying with the requirements of laws of another state may be recognized as legally equivalent to signatures under this Law if the laws of the other state require a level of reliability at least equivalent to that required for such signatures under this Law Article (23)(3)] | Establish/Maintain Documentation | Preventive | |
| Implement a signature revocation service. CC ID 14417 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: whether a timely signature revocation service is offered; Article (21) One:(c)(7)] | Business Processes | Preventive | |
| Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 [Where a rule of law requires a signature on a document, or provides for certain consequences in the absence of a signature, that rule is satisfied if the document contains a reliable Electronic Signature within the meaning of Article (18) of this Law Article (8)(1) {is not unenforceable} A contract is not invalid or unenforceable solely by reason that Electronic Communication was used in its formation Article (11)(2)] | Records Management | Preventive | |
| Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 [Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: was affixed by that person with the intention of signing or approving the Data Message attributed to him Article(10)(3)(c) Absent contrary statutory provision, a person may use any form of Electronic authentication Article (8)(2) Notwithstanding subsections (2) and (3) above: Where parties agree, as between themselves, to the use of certain types of Electronic Signatures or Electronic Attestation Certificates, that agreement shall be recognized as sufficient for the purpose of cross-border recognition between the various jurisdictions of states, unless that agreement would not be valid or effective under applicable law of the UAE Article (23)(6)(b)] | Technical Security | Preventive | |
| Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 | Technical Security | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a data retention program. CC ID 00906 | Establish/Maintain Documentation | Detective | |
| Maintain continued integrity for all stored data and stored records. CC ID 00969 [{not be altered} Absent proof to the contrary, it shall be presumed that a Secure Electronic Record: remained unaltered since creation; and Article (10)(4)(a) Absent proof to the contrary, it shall be presumed that a Secure Electronic Record: is reliable Article (10)(4)(b) If a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved has been properly applied to an Electronic Record to verify that the Electronic Record has not been altered since a specified point in time, such record shall be treated as a Secure Electronic Record from such specified point in time to the time of verification Article (16)(1)] | Testing | Detective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: Article (5)(1) An obligation to retain documents, records or information in accordance with paragraph (c) of subsection (1) does not extend to any information necessarily or automatically generated solely for the purpose of enabling a message to be sent or received Article (5)(2)] | Records Management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
| Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: the Electronic Record is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to represent accurately the information generated, sent or received; Article (5)(1)(a) If a rule of law requires a statement, document, record, transaction or evidence to be in writing or provides for certain consequences if it is not, an Electronic Document or Record satisfies the requirement if the provisions of subsection (1) of Article (5) of this Law are complied with Article (7)] | Records Management | Preventive | |
| Process restricted information in a secure environment. CC ID 13058 | Process or Activity | Preventive | |
| Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records Management | Preventive | |
| Establish, implement, and maintain data accuracy controls. CC ID 00921 [A Certification Service Provider shall: exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the Electronic Attestation Certificate throughout its life cycle or that are included in the certificate; Article (21) One:(b) A Signatory shall: where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle Article {19) One:(4)] | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain data completeness controls. CC ID 11649 [A Certification Service Provider shall: exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the Electronic Attestation Certificate throughout its life cycle or that are included in the certificate; Article (21) One:(b) A Signatory shall: where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle Article {19) One:(4)] | Process or Activity | Preventive | |
| Capture the records required by organizational compliance requirements. CC ID 00912 | Records Management | Detective | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records Management | Preventive | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: such information, if any, is retained as enables the identification of the origin and destination of the Data Message and the date and time when it was sent or received Article (5)(1)(c)] | Log Management | Preventive | |
| Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Where a rule of law requires a Data Message to be presented or retained in its original form, or provides for certain consequences if not so presented or retained, that requirement is met by a Data Message if: there exists reliable assurance as to the integrity of the information contained in the Data Message from the time when it was first generated in its final form, as an Electronic Document or Record. The criteria for assessing integrity shall be whether the information has remained complete and unaltered, apart from the addition of any endorsement and any change which arises in the normal course of communication, storage and display; and Article (9)(1)] | Establish Roles | Preventive | |
| Compare each record's data input to its final form. CC ID 11813 | Records Management | Detective | |
| Sanitize user input in accordance with organizational standards. CC ID 16856 | Process or Activity | Preventive | |
| Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Data and Information Management | Preventive | |
| Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain access controls for all records. CC ID 00371 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: the information contained therein is accessible so as to be usable for subsequent reference; and Article (5)(1)(b)] | Records Management | Preventive | |
| Establish, implement, and maintain output distribution procedures. CC ID 00927 [Where a rule of law requires a Data Message to be presented or retained in its original form, or provides for certain consequences if not so presented or retained, that requirement is met by a Data Message if: if the message allows, when required, the display of the information sought to be presented Article (9)(2)] | Establish/Maintain Documentation | Preventive | |
| Include printed output in output distribution procedures. CC ID 13477 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an e-discovery program. CC ID 00976 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain legal hold procedures for data and records. CC ID 06810 [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which the integrity of the information was maintained; Article (10)(2)(b)] | Records Management | Preventive | |
| Document the evidential weight of the information and the information processing assets. CC ID 00624 [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which one or more of the operations of executing, entering, generating, processing, storing, presenting or communicating was performed; Article (10)(2)(a)] | Establish/Maintain Documentation | Preventive | |
| Tailor the e-discovery search methodology to evolve with e-discovery rules. CC ID 00625 | Records Management | Preventive | |
| Use precedent from the context of paper discovery in the context of e-discovery. CC ID 00626 [{refrain from preventing} In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to prevent the admission of a Data Message or Electronic Signature in evidence: on the grounds that the message or signature is in Electronic format; or Article (10)(1)(a)] | Records Management | Preventive | |
System hardening through configuration management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
| Disable or configure the e-mail server, as necessary. CC ID 06563 | Configuration | Preventive | |
| Configure e-mail servers to enable receiver-side verification. CC ID 12223 [Where the Originator receives the Addressee's acknowledgment of receipt, it is presumed, unless evidence to the contrary is adduced, that the related Data Message was received by the Addressee, but that presumption does not imply that the content of the Data Message sent by the Originator corresponds to the content of the message received from the Addressee Article (14)(5)] | Configuration | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Establish/Maintain Documentation | Preventive | |
| Implement digital identification processes. CC ID 13731 | Process or Activity | Preventive | |
| Implement identity proofing processes. CC ID 13719 | Process or Activity | Preventive | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 [As between the Originator and the Addressee, a Data Message is deemed to be that of the Originator if it was sent: by a person who had the authority to act on behalf of the Originator in respect of the Data Message; Article (13)(2)(a)] | Process or Activity | Preventive | |
| Establish, implement, and maintain federated identity systems. CC ID 13837 | Technical Security | Preventive | |
| Authenticate all systems in a federated identity system. CC ID 13835 | Technical Security | Preventive | |
| Send and receive authentication assertions, as necessary. CC ID 13839 [A person may rely on an Electronic Signature or Electronic Attestation Certificate to the extent that such reliance rm_secondary-verb">is reasonable Article (18)(1) Where the Originator has not agreed with the Addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given by: any conduct of the addressee, sufficient to y-verb">or:#B7D8ED;" class="term_primary-verb">indicate to the Originator that the | Technical Security | Preventive | |
| Make the assertion reference for authentication assertions single-use. CC ID 13843 | Technical Security | Preventive | |
| Validate the issuer in the authentication assertion. CC ID 13878 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: the identity of the olor:#F0BBBC;" class="term_primary-noun">Certification Service Provider; Article (21) One:(c)(1)] | Technical Security | Detective | |
| Limit the lifetime of the assertion reference. CC ID 13874 | Technical Security | Preventive | |
| Refrain from using authentication assertions that have expired. CC ID 13872 | Technical Security | Preventive | |
| Protect the authentication assertion from unauthorized access or unauthorized disclosure. CC ID 16836 | Technical Security | Preventive | |
| Include the issuer identifier in the authentication assertion. CC ID 13865 | Technical Security | Preventive | |
| Include attribute metadata in the authentication assertion. CC ID 13856 | Technical Security | Preventive | |
| Include the authentication time in the authentication assertion. CC ID 13855 | Technical Security | Preventive | |
| Validate each element within the authentication assertion. CC ID 13853 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to the nature of the underlying transaction that Electronic Signature was intended to support; Article (18)(3)(a) Where the acknowledgment received by the Originator states that the related Data Message met technical requirements, either agreed upon or set forth in applicable standards, it is mary-verb">presumed, unless evidence to the contrary is adduced, that those requirements have been term_secondary-verb">#B7D8ED;" class="term_primary-verb">met Article (14)(6) Where the Originator has not agreed with the Addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given byy-verb">: any | Technical Security | Preventive | |
| Validate the timestamp in the authentication assertion. CC ID 13875 [An Electronic Attestation Certificate shall state: that the Signature Creation Device was effective at or before the date when the certificate was issued; Article (21) Three:(c)] | Technical Security | Detective | |
| Validate the digital signature in the authentication assertion. CC ID 13869 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate had taken appropriate steps to determine the reliability of the Electronic Signature or the Electronic Attestation Certificate; Article (18)(3)(c) {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: linked to the Electronic Record to which it relates in a manner which provides reliable n">assurance as to the <span style="background-color:#F0BBBC;" class="term_primary-noun">integrity of the signature such that if the record was changed the Electronic Signature would be d-color:#CBD0E5;" class="term_secondary-verb">invalidated Article (17)(1)(d) {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: was, at the time of signing, under the sole 7D8ED;" class="term_primary-verb">control of the Signatory in terms of the creation data and the means used; and Article (17)(1)(c) {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: capable of >identifying such person; Article (17)(1)(b)] | Technical Security | Detective | |
| Validate the signature validation element in the authentication assertion. CC ID 13867 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature had taken appropriate steps to ascertain whether the Electronic Signature was supported or was reasonably expected to have been supported by an Electronic Attestation Certificate; Article (18)(3)(d) {electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate knew or ought to have known that the Electronic Signature or the Electronic Attestation Certificate had been compromised or revoked; Article (18)(3)(e)] | Technical Security | Detective | |
| Validate the audience restriction element in the authentication assertion. CC ID 13866 | Technical Security | Detective | |
| Include the subject in the authentication assertion. CC ID 13852 | Technical Security | Preventive | |
| Include the target audience in the authentication assertion. CC ID 13851 | Technical Security | Preventive | |
| Include audience restrictions in the authentication assertion. CC ID 13870 | Technical Security | Preventive | |
| Include the issue date in the authentication assertion. CC ID 13850 | Technical Security | Preventive | |
| Revoke authentication assertions, as necessary. CC ID 16534 | Technical Security | Preventive | |
| Include the expiration date in the authentication assertion. CC ID 13849 | Technical Security | Preventive | |
| Include identifiers in the authentication assertion. CC ID 13848 | Technical Security | Preventive | |
| Include digital signatures in the authentication assertion. CC ID 13847 | Technical Security | Preventive | |
| Include key binding in the authentication assertion. CC ID 13846 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: that the person identified in the Electronic Attestation Certificate rm_primary-verb">holds, at the relevant time, the Signature Creation Device referred to in the certificate; Article (21) One:(c)(2)] | Technical Security | Preventive | |
| Include attribute references in the authentication assertion. CC ID 13845 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to any agreement or course of dealing which the Originator has with the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate, or any trade usage or practice which may be applicable; Article (18)(3)(f) {electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to any other relevant factor Article (18)(3)(g)] | Technical Security | Preventive | |
| Include attribute values in the authentication assertion. CC ID 13844 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to the value or importance of the underlying transaction, if this known to the party relying on the Electronic Signature; Article (18)(3)(b)] | Technical Security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
| Control access rights to organizational assets. CC ID 00004 [A Signatory shall: exercise reasonable care to avoid the unauthorized use of its Signature Creation Device; Article (19) One:(2)] | Technical Security | Preventive | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Configuration | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Establish/Maintain Documentation | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical Security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Configuration | Detective | |
| Define roles for information systems. CC ID 12454 | Human Resources Management | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Human Resources Management | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical Security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical Security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 | Technical Security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical Security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical Security | Preventive | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Configuration | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical Security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical Security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Configuration | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Configuration | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical Security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Configuration | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Configuration | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Configuration | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Configuration | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 | Configuration | Preventive | |
| Include all system components in the access control system. CC ID 11939 | Technical Security | Preventive | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Process or Activity | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical Security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical Security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Establish/Maintain Documentation | Preventive | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 | Technical Security | Preventive | |
| Enforce access restrictions for restricted data. CC ID 01921 | Data and Information Management | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical Security | Preventive | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Testing | Detective | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical Security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Establish/Maintain Documentation | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Establish/Maintain Documentation | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical Security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Configuration | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Establish/Maintain Documentation | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical Security | Preventive | |
| Establish, implement, and maintain a system and information integrity policy. CC ID 14034 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system and information integrity procedures. CC ID 14051 [A Certification Service Provider shall: utilize trustworthy systems, procedures and human resources in performing its services; Article (21) One:(e)] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 | Communicate | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical Security | Preventive | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Data and Information Management | Preventive | |
| Include the issuer in digital signatures. CC ID 13831 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: the method used to identify the Signatory; Article (21) One:(c)(3) An Electronic Attestation Certificate shall state: the identity of the Certification Service Provider; Article (21) Three:(a)] | Data and Information Management | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 | Technical Security | Preventive | |
| Implement non-repudiation for transactions. CC ID 00567 | Testing | Detective | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 [Where the Originator has stated that the Data Message is conditional on receipt of the acknowledgment, the Data Message is treated as though it had never been sent until the acknowledgment is received Article (14)(3)] | Technical Security | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [For the purpose of contracting, an offer or the acceptance of an offer may be expressed, in whole or in part, by Electronic Communication Article (11)(1) A contract may be formed by the interaction of Automated Electronic Agents that include two or more Electronic Information Systems preset and preprogrammed to carry out these tasks. Such contract would be valid and enforceable even if no individual was directly involved in the conclusion of the contract within such systems Article (12)(1) A contract may be formed between an Automated Electronic Information System in the possession of a natural or legal person and another natural person, where the latter knows or has reason to know that the such a system will automatically conclude or perform the contract Article (12)(2)] | Establish/Maintain Documentation | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 [An Electronic Attestation Certificate shall state: any limitation on the scope or extent of liability which the Certification Service Provider accepts to any person Article (21) Three:(e)] | Establish/Maintain Documentation | Preventive | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Testing | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 [Electronic Attestation Certificates issued by a foreign Certification Service Provider are recognized as legally equivalent to Certificates issued by Certification Service Providers operating under this Law, if the practices of the foreign Certification Service Provider provide a level of reliability at least equivalent to that required of Certification Service Providers operating in accordance with this Law, as provided under Article (21), and taking into consideration recognized international standards Article (23)(2)] | Testing | Detective | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Establish/Maintain Documentation | Preventive | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 [{retain} {electronic records} A person may satisfy the requirement referred to in subsection (1) by using the services of any other person, if the conditions in that subsection are complied with Article (5)(3)] | Business Processes | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 | Establish/Maintain Documentation | Detective | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 [Notwithstanding subsections (2) and (3) above: Parties to commercial and other transactions may specify that a particular Certification Service Provider, class of Certification Service Providers or class of certificates must be used in connection with Data Messages or signatures submitted to them Article (23)(6)(a)] | Business Processes | Preventive | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [A Certification Service Provider shall: be licensed by the Certification Services Controller if operating in the UAE Article (21) One:(f)] | Business Processes | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Establish, implement, and maintain a Service Management System. CC ID 13889 | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
| Collect evidence from the incident scene. CC ID 02236 | Operational management | Corrective | |
| Perform automated processes according to business requirements. CC ID 14325 [As between the Originator and the Addressee, a Data Message is deemed to be that of the Originator if it was sent: by an Automated Information System programmed by or on behalf of the Originator to operate automatically Article (13)(2)(b)] | Operational management | Preventive | |
| Conduct transactions, as necessary. CC ID 14378 | Operational management | Preventive | |
| Implement data content requirements and data condition requirements for all transactions. CC ID 14410 | Operational management | Preventive | |
| Keep code sets open until resolved. CC ID 14409 | Operational management | Preventive | |
| Refrain from using incentives to conduct transactions. CC ID 14408 | Operational management | Preventive | |
| Refrain from charging fees to conduct transactions. CC ID 14415 | Operational management | Preventive | |
| Refrain from rejecting standard transactions. CC ID 14406 | Operational management | Preventive | |
| Refrain from rejecting transactions containing extra data. CC ID 14407 | Operational management | Preventive | |
| Translate standard transactions, as necessary. CC ID 14405 | Operational management | Preventive | |
| Translate nonstandard transactions, as necessary. CC ID 14404 | Operational management | Preventive | |
| Process transactions, as necessary. CC ID 14403 | Operational management | Preventive | |
| Implement a signature revocation service. CC ID 14417 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: whether a timely signature revocation service is offered; Article (21) One:(c)(7)] | Records management | Preventive | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 [{retain} {electronic records} A person may satisfy the requirement referred to in subsection (1) by using the services of any other person, if the conditions in that subsection are complied with Article (5)(3)] | Third Party and supply chain oversight | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 [Notwithstanding subsections (2) and (3) above: Parties to commercial and other transactions may specify that a particular Certification Service Provider, class of Certification Service Providers or class of certificates must be used in connection with Data Messages or signatures submitted to them Article (23)(6)(a)] | Third Party and supply chain oversight | Preventive | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [A Certification Service Provider shall: be licensed by the Certification Services Controller if operating in the UAE Article (21) One:(f)] | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
| Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 | Technical security | Preventive | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 | Operational management | Detective | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Preventive | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Detective | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Preventive | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Preventive | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Preventive | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Preventive | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Preventive | |
| Enable access control for objects and users on each system. CC ID 04553 | Technical security | Preventive | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Preventive | |
| Disable or configure the e-mail server, as necessary. CC ID 06563 | System hardening through configuration management | Preventive | |
| Configure e-mail servers to enable receiver-side verification. CC ID 12223 [Where the Originator receives the Addressee's acknowledgment of receipt, it is presumed, unless evidence to the contrary is adduced, that the related Data Message was received by the Addressee, but that presumption does not imply that the content of the Data Message sent by the Originator corresponds to the content of the message received from the Addressee Article (14)(5)] | System hardening through configuration management | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Preventive | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Preventive | |
| Include the issuer in digital signatures. CC ID 13831 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: the method used to identify the Signatory; Article (21) One:(c)(3) An Electronic Attestation Certificate shall state: the identity of the Certification Service Provider; Article (21) Three:(a)] | Technical security | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: such information, if any, is retained as enables the identification of the origin and destination of the Data Message and the date and time when it was sent or received Article (5)(1)(c)] | Operational management | Preventive | |
| Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
| Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Where a rule of law requires a Data Message to be presented or retained in its original form, or provides for certain consequences if not so presented or retained, that requirement is met by a Data Message if: there exists reliable assurance as to the integrity of the information contained in the Data Message from the time when it was first generated in its final form, as an Electronic Document or Record. The criteria for assessing integrity shall be whether the information has remained complete and unaltered, apart from the addition of any endorsement and any change which arises in the normal course of communication, storage and display; and Article (9)(1)] | Records management | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [A Signatory shall: without undue delay, notify concerned persons if: the Signatory becomes aware that the security of its Signature Creation Device has been compromised; Article (19) One:(3)(a) A Signatory shall: without undue delay, notify concerned persons if: the circumstances known to the Signatory give rise to a substantial risk that the security of the Signature Creation Device may have been compromised; and Article (19) One:(3)(b)] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Technical security | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Preventive | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Preventive | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Preventive | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Preventive | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Preventive | |
| Establish, implement, and maintain a system and information integrity policy. CC ID 14034 | Technical security | Preventive | |
| Establish, implement, and maintain system and information integrity procedures. CC ID 14051 [A Certification Service Provider shall: utilize trustworthy systems, procedures and human resources in performing its services; Article (21) One:(e)] | Technical security | Preventive | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 | Operational and Systems Continuity | Detective | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 [A Certification Service Provider shall: provide a means for Signatories to give notice that the Signature Creation Device has been compromised and ensure the availability of a timely signature revocation service; Article (21) One:(d)] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: any limitation on the purpose or value for which the Signature Creation Device may be used; Article (21) One:(c)(4) An Electronic Attestation Certificate shall state: any limitations on the purposes or value for which the Signature Creation Device or the Electronic Attestation Certificate may be used; Article (21) Three:(d)] | Operational management | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Preventive | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 [{not been received} Where the Originator has asked for an acknowledgement but has not stated that the Data Message is conditional on receipt of the acknowledgment within the time specified or agreed, or if no time has been specified or agreed within a reasonable time, the Originator: may give notice to the Addressee stating that no acknowledgment has been received and specifying a reasonable time by which the acknowledgment must be received; and Article (14)(4)(a)] | Operational management | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 [Where the Originator has asked for an acknowledgement but has not stated that the Data Message is conditional on receipt of the acknowledgment within the time specified or agreed, or if no time has been specified or agreed within a reasonable time, the Originator: if the acknowledgement is not received within the time specified in para (a) of this subsection, may treat the Data Message as though it has never been sent, or exercise any other rights it may have Article (14)(4)(b)] | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [A Certification Service Provider shall: act in accordance with representations made by it with respect to its policies and practices; Article (21) One:(a)] | Operational management | Preventive | |
| Establish, implement, and maintain a service management program. CC ID 11388 | Operational management | Preventive | |
| Include continuity plans in the Service Management program. CC ID 13919 [A Certification Service Provider shall: provide a means for Signatories to give notice that the Signature Creation Device has been compromised and ensure the availability of a timely signature revocation service; Article (21) One:(d)] | Operational management | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Preventive | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Preventive | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the source of information, if identifiable; Article (10)(2)(c) In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which the Originator was identified; Article (10)(2)(d)] | Operational management | Detective | |
| Provide and display incident management contact information to customers. CC ID 06386 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: whether means exist for the Signatory to give notice pursuant to this Law; Article (21) One:(c)(6)] | Operational management | Corrective | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 [In assessing the evidential weight of Electronic Information, regard shall be given to: any other factor that may be relevant Article (10)(2)(e)] | Operational management | Preventive | |
| Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 | Operational management | Detective | |
| Define the business scenarios that require digital forensic evidence. CC ID 08653 | Operational management | Preventive | |
| Define the circumstances for collecting digital forensic evidence. CC ID 08657 | Operational management | Preventive | |
| Document the legal requirements for evidence collection. CC ID 08654 | Operational management | Preventive | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 | Operational management | Preventive | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Preventive | |
| Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 | Operational management | Detective | |
| Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 | Operational management | Detective | |
| Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 | Operational management | Detective | |
| Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 | Operational management | Detective | |
| Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 | Operational management | Detective | |
| Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 | Operational management | Detective | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Establish, implement, and maintain a record classification scheme. CC ID 00914 | Records management | Preventive | |
| Establish, implement, and maintain electronic signature requirements. CC ID 06219 [Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: is reliable; Article (10)(3)(a) Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: is the signature of the person to whom it correlates; and Article (10)(3)(b) {be unique} {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: unique to the person using it; Article (17)(1)(a) Signatures complying with the requirements of laws of another state may be recognized as legally equivalent to signatures under this Law if the laws of the other state require a level of reliability at least equivalent to that required for such signatures under this Law Article (23)(3)] | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Detective | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
| Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Preventive | |
| Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Preventive | |
| Establish, implement, and maintain output distribution procedures. CC ID 00927 [Where a rule of law requires a Data Message to be presented or retained in its original form, or provides for certain consequences if not so presented or retained, that requirement is met by a Data Message if: if the message allows, when required, the display of the information sought to be presented Article (9)(2)] | Records management | Preventive | |
| Include printed output in output distribution procedures. CC ID 13477 | Records management | Preventive | |
| Establish, implement, and maintain an e-discovery program. CC ID 00976 | Records management | Preventive | |
| Document the evidential weight of the information and the information processing assets. CC ID 00624 [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which one or more of the operations of executing, entering, generating, processing, storing, presenting or communicating was performed; Article (10)(2)(a)] | Records management | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Define the organization's liability based on the applicable law. CC ID 00504 [A Signatory shall bear the legal consequences of its failure to satisfy the requirements of Section One of this Article Article (19) Two: {electronic attestation certificate} Where an Electronic Signature is supported by a certificate, the Relying Party in respect of such signature shall bear the legal consequences of its failure to take reasonable and necessary steps to verify the validity and enforceability of the certificate, as to whether it is suspended or revoked, and of observing any limitations with respect to the certificate Article (18)(2) {not required} Nothing in this Law shall require any person or employee to use or accept information in Electronic format, but a person's consent to do so may be inferred from his affirmative conduct Article (6)(1)] | Privacy protection for information and data | Preventive | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [For the purpose of contracting, an offer or the acceptance of an offer may be expressed, in whole or in part, by Electronic Communication Article (11)(1) A contract may be formed by the interaction of Automated Electronic Agents that include two or more Electronic Information Systems preset and preprogrammed to carry out these tasks. Such contract would be valid and enforceable even if no individual was directly involved in the conclusion of the contract within such systems Article (12)(1) A contract may be formed between an Automated Electronic Information System in the possession of a natural or legal person and another natural person, where the latter knows or has reason to know that the such a system will automatically conclude or perform the contract Article (12)(2)] | Third Party and supply chain oversight | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 [An Electronic Attestation Certificate shall state: any limitation on the scope or extent of liability which the Certification Service Provider accepts to any person Article (21) Three:(e)] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Third Party and supply chain oversight | Preventive | |
| Request attestation of compliance from third parties. CC ID 12067 | Third Party and supply chain oversight | Detective | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define roles for information systems. CC ID 12454 | Technical security | Preventive | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Preventive | |
| Assign an information owner to organizational assets, as necessary. CC ID 12729 [An Electronic Attestation Certificate shall state: that the person identified in the Electronic Attestation Certificate holds, at the relevant time, the Signature Creation Device referred to in the certificate; Article (21) Three:(b)] | Operational management | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Protect devices containing digital forensic evidence during transport. CC ID 08687 | Operational management | Detective | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 | Operational management | Detective | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 | Operational management | Corrective | |
| Identify potential sources of digital forensic evidence. CC ID 08651 [{refrain from preventing} In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to prevent the admission of a Data Message or Electronic Signature in evidence: if it is the best evidence that the person adducing it could reasonably be expected to obtain, on the grounds that the message or signature is not original or in its original form Article (10)(1)(b)] | Operational management | Preventive | |
| Prepare digital forensic equipment. CC ID 08688 | Operational management | Detective | |
| Use digital forensic equipment suitable to the circumstances. CC ID 08690 | Operational management | Detective | |
| Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 | Operational management | Detective | |
| Maintain digital forensic equipment for proper performance. CC ID 08689 | Operational management | Detective | |
| Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 | Operational management | Detective | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 | Operational management | Detective | |
| Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 | Operational management | Detective | |
| Secure devices containing digital forensic evidence. CC ID 08681 | Operational management | Detective | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 | Operational management | Detective | |
| Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 | Operational management | Detective | |
| Create a system image of the device before collecting digital forensic evidence. CC ID 08673 | Operational management | Detective | |
| Shut down stand alone devices containing digital forensic evidence. CC ID 08682 | Operational management | Detective | |
| Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 | Operational management | Detective | |
| Place evidence tape over devices containing digital forensic evidence. CC ID 08683 | Operational management | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: such information, if any, is retained as enables the identification of the origin and destination of the Data Message and the date and time when it was sent or received Article (5)(1)(c)] | Records management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Physical and environmental protection | Detective | |
| Monitor the location of distributed assets. CC ID 11684 [{disregard} In determining whether an Electronic Attestation Certificate or an Electronic Signature is legally effective, no regard shall be had to the place where the Certificate or the Electronic Signature was issued, nor to the jurisdiction in which the issuer of the Electronic Attestation Certificate or Signature had its place of business Article (23)(1)] | Physical and environmental protection | Detective | |
| Establish, implement, and maintain data accuracy controls. CC ID 00921 [A Certification Service Provider shall: exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the Electronic Attestation Certificate throughout its life cycle or that are included in the certificate; Article (21) One:(b) A Signatory shall: where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle Article {19) One:(4)] | Records management | Detective | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Protect assets from tampering or unapproved substitution. CC ID 11902 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: that the Signature Creation Device is valid and has not been compromised; Article (21) One:(c)(5)] | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Preventive | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement digital identification processes. CC ID 13731 | Technical security | Preventive | |
| Implement identity proofing processes. CC ID 13719 | Technical security | Preventive | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 [As between the Originator and the Addressee, a Data Message is deemed to be that of the Originator if it was sent: by a person who had the authority to act on behalf of the Originator in respect of the Data Message; Article (13)(2)(a)] | Technical security | Preventive | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Preventive | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Corrective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive | |
| Process restricted information in a secure environment. CC ID 13058 | Records management | Preventive | |
| Establish, implement, and maintain data completeness controls. CC ID 11649 [A Certification Service Provider shall: exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the Electronic Attestation Certificate throughout its life cycle or that are included in the certificate; Article (21) One:(b) A Signatory shall: where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle Article {19) One:(4)] | Records management | Preventive | |
| Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Retain collected evidence for potential future legal actions. CC ID 01235 | Operational management | Preventive | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 | Operational management | Preventive | |
| Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 [Where a rule of law requires a signature on a document, or provides for certain consequences in the absence of a signature, that rule is satisfied if the document contains a reliable Electronic Signature within the meaning of Article (18) of this Law Article (8)(1) {is not unenforceable} A contract is not invalid or unenforceable solely by reason that Electronic Communication was used in its formation Article (11)(2)] | Records management | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: Article (5)(1) An obligation to retain documents, records or information in accordance with paragraph (c) of subsection (1) does not extend to any information necessarily or automatically generated solely for the purpose of enabling a message to be sent or received Article (5)(2)] | Records management | Preventive | |
| Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: the Electronic Record is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to represent accurately the information generated, sent or received; Article (5)(1)(a) If a rule of law requires a statement, document, record, transaction or evidence to be in writing or provides for certain consequences if it is not, an Electronic Document or Record satisfies the requirement if the provisions of subsection (1) of Article (5) of this Law are complied with Article (7)] | Records management | Preventive | |
| Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records management | Preventive | |
| Capture the records required by organizational compliance requirements. CC ID 00912 | Records management | Detective | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Preventive | |
| Compare each record's data input to its final form. CC ID 11813 | Records management | Detective | |
| Establish and maintain access controls for all records. CC ID 00371 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: the information contained therein is accessible so as to be usable for subsequent reference; and Article (5)(1)(b)] | Records management | Preventive | |
| Establish, implement, and maintain legal hold procedures for data and records. CC ID 06810 [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which the integrity of the information was maintained; Article (10)(2)(b)] | Records management | Preventive | |
| Tailor the e-discovery search methodology to evolve with e-discovery rules. CC ID 00625 | Records management | Preventive | |
| Use precedent from the context of paper discovery in the context of e-discovery. CC ID 00626 [{refrain from preventing} In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to prevent the admission of a Data Message or Electronic Signature in evidence: on the grounds that the message or signature is in Electronic format; or Article (10)(1)(a)] | Records management | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain federated identity systems. CC ID 13837 | Technical security | Preventive | |
| Authenticate all systems in a federated identity system. CC ID 13835 | Technical security | Preventive | |
| Send and receive authentication assertions, as necessary. CC ID 13839 [A person may rely on an Electronic Signature or Electronic Attestation Certificate to the extent that such reliance rm_secondary-verb">is reasonable Article (18)(1) Where the Originator has not agreed with the Addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given by: any conduct of the addressee, sufficient to y-verb">or:#B7D8ED;" class="term_primary-verb">indicate to the Originator that the | Technical security | Preventive | |
| Make the assertion reference for authentication assertions single-use. CC ID 13843 | Technical security | Preventive | |
| Validate the issuer in the authentication assertion. CC ID 13878 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: the identity of the olor:#F0BBBC;" class="term_primary-noun">Certification Service Provider; Article (21) One:(c)(1)] | Technical security | Detective | |
| Limit the lifetime of the assertion reference. CC ID 13874 | Technical security | Preventive | |
| Refrain from using authentication assertions that have expired. CC ID 13872 | Technical security | Preventive | |
| Protect the authentication assertion from unauthorized access or unauthorized disclosure. CC ID 16836 | Technical security | Preventive | |
| Include the issuer identifier in the authentication assertion. CC ID 13865 | Technical security | Preventive | |
| Include attribute metadata in the authentication assertion. CC ID 13856 | Technical security | Preventive | |
| Include the authentication time in the authentication assertion. CC ID 13855 | Technical security | Preventive | |
| Validate each element within the authentication assertion. CC ID 13853 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to the nature of the underlying transaction that Electronic Signature was intended to support; Article (18)(3)(a) Where the acknowledgment received by the Originator states that the related Data Message met technical requirements, either agreed upon or set forth in applicable standards, it is mary-verb">presumed, unless evidence to the contrary is adduced, that those requirements have been term_secondary-verb">#B7D8ED;" class="term_primary-verb">met Article (14)(6) Where the Originator has not agreed with the Addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given byy-verb">: any | Technical security | Preventive | |
| Validate the timestamp in the authentication assertion. CC ID 13875 [An Electronic Attestation Certificate shall state: that the Signature Creation Device was effective at or before the date when the certificate was issued; Article (21) Three:(c)] | Technical security | Detective | |
| Validate the digital signature in the authentication assertion. CC ID 13869 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate had taken appropriate steps to determine the reliability of the Electronic Signature or the Electronic Attestation Certificate; Article (18)(3)(c) {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: linked to the Electronic Record to which it relates in a manner which provides reliable n">assurance as to the <span style="background-color:#F0BBBC;" class="term_primary-noun">integrity of the signature such that if the record was changed the Electronic Signature would be d-color:#CBD0E5;" class="term_secondary-verb">invalidated Article (17)(1)(d) {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: was, at the time of signing, under the sole 7D8ED;" class="term_primary-verb">control of the Signatory in terms of the creation data and the means used; and Article (17)(1)(c) {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: capable of >identifying such person; Article (17)(1)(b)] | Technical security | Detective | |
| Validate the signature validation element in the authentication assertion. CC ID 13867 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature had taken appropriate steps to ascertain whether the Electronic Signature was supported or was reasonably expected to have been supported by an Electronic Attestation Certificate; Article (18)(3)(d) {electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate knew or ought to have known that the Electronic Signature or the Electronic Attestation Certificate had been compromised or revoked; Article (18)(3)(e)] | Technical security | Detective | |
| Validate the audience restriction element in the authentication assertion. CC ID 13866 | Technical security | Detective | |
| Include the subject in the authentication assertion. CC ID 13852 | Technical security | Preventive | |
| Include the target audience in the authentication assertion. CC ID 13851 | Technical security | Preventive | |
| Include audience restrictions in the authentication assertion. CC ID 13870 | Technical security | Preventive | |
| Include the issue date in the authentication assertion. CC ID 13850 | Technical security | Preventive | |
| Revoke authentication assertions, as necessary. CC ID 16534 | Technical security | Preventive | |
| Include the expiration date in the authentication assertion. CC ID 13849 | Technical security | Preventive | |
| Include identifiers in the authentication assertion. CC ID 13848 | Technical security | Preventive | |
| Include digital signatures in the authentication assertion. CC ID 13847 | Technical security | Preventive | |
| Include key binding in the authentication assertion. CC ID 13846 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: that the person identified in the Electronic Attestation Certificate rm_primary-verb">holds, at the relevant time, the Signature Creation Device referred to in the certificate; Article (21) One:(c)(2)] | Technical security | Preventive | |
| Include attribute references in the authentication assertion. CC ID 13845 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to any agreement or course of dealing which the Originator has with the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate, or any trade usage or practice which may be applicable; Article (18)(3)(f) {electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to any other relevant factor Article (18)(3)(g)] | Technical security | Preventive | |
| Include attribute values in the authentication assertion. CC ID 13844 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to the value or importance of the underlying transaction, if this known to the party relying on the Electronic Signature; Article (18)(3)(b)] | Technical security | Preventive | |
| Control access rights to organizational assets. CC ID 00004 [A Signatory shall: exercise reasonable care to avoid the unauthorized use of its Signature Creation Device; Article (19) One:(2)] | Technical security | Preventive | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Preventive | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Preventive | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 | Technical security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Preventive | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Preventive | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Preventive | |
| Include all system components in the access control system. CC ID 11939 | Technical security | Preventive | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Preventive | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Preventive | |
| Enforce access restrictions for change control. CC ID 01428 | Technical security | Preventive | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Preventive | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Preventive | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Preventive | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 | Technical security | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 [Where the Originator has stated that the Data Message is conditional on receipt of the acknowledgment, the Data Message is treated as though it had never been sent until the acknowledgment is received Article (14)(3)] | Technical security | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 [A Signatory shall: not unlawfully use its Signature Creation Device; Article (19) One:(1)] | Physical and environmental protection | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
| Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 [Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: was affixed by that person with the intention of signing or approving the Data Message attributed to him Article(10)(3)(c) Absent contrary statutory provision, a person may use any form of Electronic authentication Article (8)(2) Notwithstanding subsections (2) and (3) above: Where parties agree, as between themselves, to the use of certain types of Electronic Signatures or Electronic Attestation Certificates, that agreement shall be recognized as sufficient for the purpose of cross-border recognition between the various jurisdictions of states, unless that agreement would not be valid or effective under applicable law of the UAE Article (23)(6)(b)] | Records management | Preventive | |
| Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 | Records management | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Detective | |
| Implement non-repudiation for transactions. CC ID 00567 | Technical security | Detective | |
| Test the operation of the digital forensic equipment prior to use. CC ID 08694 | Operational management | Detective | |
| Maintain continued integrity for all stored data and stored records. CC ID 00969 [{not be altered} Absent proof to the contrary, it shall be presumed that a Secure Electronic Record: remained unaltered since creation; and Article (10)(4)(a) Absent proof to the contrary, it shall be presumed that a Secure Electronic Record: is reliable Article (10)(4)(b) If a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved has been properly applied to an Electronic Record to verify that the Electronic Record has not been altered since a specified point in time, such record shall be treated as a Secure Electronic Record from such specified point in time to the time of verification Article (16)(1)] | Records management | Detective | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Detective | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 [Electronic Attestation Certificates issued by a foreign Certification Service Provider are recognized as legally equivalent to Certificates issued by Certification Service Providers operating under this Law, if the practices of the foreign Certification Service Provider provide a level of reliability at least equivalent to that required of Certification Service Providers operating in accordance with this Law, as provided under Article (21), and taking into consideration recognized international standards Article (23)(2)] | Third Party and supply chain oversight | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
| Contain the incident to prevent further loss. CC ID 01751 | Operational management | Process or Activity | |
| Provide and display incident management contact information to customers. CC ID 06386 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: whether means exist for the Signatory to give notice pursuant to this Law; Article (21) One:(c)(6)] | Operational management | Establish/Maintain Documentation | |
| Conduct forensic investigations in the event of a security compromise. CC ID 11951 | Operational management | Investigate | |
| Collect evidence from the incident scene. CC ID 02236 | Operational management | Business Processes | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Validate the issuer in the authentication assertion. CC ID 13878 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: the identity of the olor:#F0BBBC;" class="term_primary-noun">Certification Service Provider; Article (21) One:(c)(1)] | Technical security | Technical Security | |
| Validate the timestamp in the authentication assertion. CC ID 13875 [An Electronic Attestation Certificate shall state: that the Signature Creation Device was effective at or before the date when the certificate was issued; Article (21) Three:(c)] | Technical security | Technical Security | |
| Validate the digital signature in the authentication assertion. CC ID 13869 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate had taken appropriate steps to determine the reliability of the Electronic Signature or the Electronic Attestation Certificate; Article (18)(3)(c) {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: linked to the Electronic Record to which it relates in a manner which provides reliable n">assurance as to the <span style="background-color:#F0BBBC;" class="term_primary-noun">integrity of the signature such that if the record was changed the Electronic Signature would be d-color:#CBD0E5;" class="term_secondary-verb">invalidated Article (17)(1)(d) {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: was, at the time of signing, under the sole 7D8ED;" class="term_primary-verb">control of the Signatory in terms of the creation data and the means used; and Article (17)(1)(c) {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: capable of >identifying such person; Article (17)(1)(b)] | Technical security | Technical Security | |
| Validate the signature validation element in the authentication assertion. CC ID 13867 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature had taken appropriate steps to ascertain whether the Electronic Signature was supported or was reasonably expected to have been supported by an Electronic Attestation Certificate; Article (18)(3)(d) {electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate knew or ought to have known that the Electronic Signature or the Electronic Attestation Certificate had been compromised or revoked; Article (18)(3)(e)] | Technical security | Technical Security | |
| Validate the audience restriction element in the authentication assertion. CC ID 13866 | Technical security | Technical Security | |
| Disallow application IDs from running as privileged users. CC ID 10050 | Technical security | Configuration | |
| Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 | Technical security | Testing | |
| Implement non-repudiation for transactions. CC ID 00567 | Technical security | Testing | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Monitor the location of distributed assets. CC ID 11684 [{disregard} In determining whether an Electronic Attestation Certificate or an Electronic Signature is legally effective, no regard shall be had to the place where the Certificate or the Electronic Signature was issued, nor to the jurisdiction in which the issuer of the Electronic Attestation Certificate or Signature had its place of business Article (23)(1)] | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a critical resource list. CC ID 00740 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674 [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the source of information, if identifiable; Article (10)(2)(c) In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which the Originator was identified; Article (10)(2)(d)] | Operational management | Establish/Maintain Documentation | |
| Protect devices containing digital forensic evidence during transport. CC ID 08687 | Operational management | Investigate | |
| Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 | Operational management | Investigate | |
| Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 | Operational management | Establish/Maintain Documentation | |
| Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 | Operational management | Communicate | |
| Prepare digital forensic equipment. CC ID 08688 | Operational management | Investigate | |
| Use digital forensic equipment suitable to the circumstances. CC ID 08690 | Operational management | Investigate | |
| Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 | Operational management | Investigate | |
| Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 | Operational management | Establish/Maintain Documentation | |
| Test the operation of the digital forensic equipment prior to use. CC ID 08694 | Operational management | Testing | |
| Maintain digital forensic equipment for proper performance. CC ID 08689 | Operational management | Investigate | |
| Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 | Operational management | Establish/Maintain Documentation | |
| Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 | Operational management | Establish/Maintain Documentation | |
| Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 | Operational management | Establish/Maintain Documentation | |
| Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 | Operational management | Establish/Maintain Documentation | |
| Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 | Operational management | Establish/Maintain Documentation | |
| Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 | Operational management | Investigate | |
| Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 | Operational management | Investigate | |
| Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 | Operational management | Investigate | |
| Secure devices containing digital forensic evidence. CC ID 08681 | Operational management | Investigate | |
| Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 | Operational management | Investigate | |
| Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 | Operational management | Investigate | |
| Create a system image of the device before collecting digital forensic evidence. CC ID 08673 | Operational management | Investigate | |
| Shut down stand alone devices containing digital forensic evidence. CC ID 08682 | Operational management | Investigate | |
| Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 | Operational management | Investigate | |
| Place evidence tape over devices containing digital forensic evidence. CC ID 08683 | Operational management | Investigate | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Establish/Maintain Documentation | |
| Maintain continued integrity for all stored data and stored records. CC ID 00969 [{not be altered} Absent proof to the contrary, it shall be presumed that a Secure Electronic Record: remained unaltered since creation; and Article (10)(4)(a) Absent proof to the contrary, it shall be presumed that a Secure Electronic Record: is reliable Article (10)(4)(b) If a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved has been properly applied to an Electronic Record to verify that the Electronic Record has not been altered since a specified point in time, such record shall be treated as a Secure Electronic Record from such specified point in time to the time of verification Article (16)(1)] | Records management | Testing | |
| Establish, implement, and maintain data accuracy controls. CC ID 00921 [A Certification Service Provider shall: exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the Electronic Attestation Certificate throughout its life cycle or that are included in the certificate; Article (21) One:(b) A Signatory shall: where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle Article {19) One:(4)] | Records management | Monitor and Evaluate Occurrences | |
| Capture the records required by organizational compliance requirements. CC ID 00912 | Records management | Records Management | |
| Compare each record's data input to its final form. CC ID 11813 | Records management | Records Management | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
| Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 | Third Party and supply chain oversight | Testing | |
| Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 [Electronic Attestation Certificates issued by a foreign Certification Service Provider are recognized as legally equivalent to Certificates issued by Certification Service Providers operating under this Law, if the practices of the foreign Certification Service Provider provide a level of reliability at least equivalent to that required of Certification Service Providers operating in accordance with this Law, as provided under Article (21), and taking into consideration recognized international standards Article (23)(2)] | Third Party and supply chain oversight | Testing | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Process or Activity | |
| Request attestation of compliance from third parties. CC ID 12067 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [A Signatory shall: without undue delay, notify concerned persons if: the Signatory becomes aware that the security of its Signature Creation Device has been compromised; Article (19) One:(3)(a) A Signatory shall: without undue delay, notify concerned persons if: the circumstances known to the Signatory give rise to a substantial risk that the security of the Signature Creation Device may have been compromised; and Article (19) One:(3)(b)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Technical security | Establish/Maintain Documentation | |
| Implement digital identification processes. CC ID 13731 | Technical security | Process or Activity | |
| Implement identity proofing processes. CC ID 13719 | Technical security | Process or Activity | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 [As between the Originator and the Addressee, a Data Message is deemed to be that of the Originator if it was sent: by a person who had the authority to act on behalf of the Originator in respect of the Data Message; Article (13)(2)(a)] | Technical security | Process or Activity | |
| Establish, implement, and maintain federated identity systems. CC ID 13837 | Technical security | Technical Security | |
| Authenticate all systems in a federated identity system. CC ID 13835 | Technical security | Technical Security | |
| Send and receive authentication assertions, as necessary. CC ID 13839 [A person may rely on an Electronic Signature or Electronic Attestation Certificate to the extent that such reliance rm_secondary-verb">is reasonable Article (18)(1) Where the Originator has not agreed with the Addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given by: any conduct of the addressee, sufficient to y-verb">or:#B7D8ED;" class="term_primary-verb">indicate to the Originator that the | Technical security | Technical Security | |
| Make the assertion reference for authentication assertions single-use. CC ID 13843 | Technical security | Technical Security | |
| Limit the lifetime of the assertion reference. CC ID 13874 | Technical security | Technical Security | |
| Refrain from using authentication assertions that have expired. CC ID 13872 | Technical security | Technical Security | |
| Protect the authentication assertion from unauthorized access or unauthorized disclosure. CC ID 16836 | Technical security | Technical Security | |
| Include the issuer identifier in the authentication assertion. CC ID 13865 | Technical security | Technical Security | |
| Include attribute metadata in the authentication assertion. CC ID 13856 | Technical security | Technical Security | |
| Include the authentication time in the authentication assertion. CC ID 13855 | Technical security | Technical Security | |
| Validate each element within the authentication assertion. CC ID 13853 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to the nature of the underlying transaction that Electronic Signature was intended to support; Article (18)(3)(a) Where the acknowledgment received by the Originator states that the related Data Message met technical requirements, either agreed upon or set forth in applicable standards, it is mary-verb">presumed, unless evidence to the contrary is adduced, that those requirements have been term_secondary-verb">#B7D8ED;" class="term_primary-verb">met Article (14)(6) Where the Originator has not agreed with the Addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given byy-verb">: any | Technical security | Technical Security | |
| Include the subject in the authentication assertion. CC ID 13852 | Technical security | Technical Security | |
| Include the target audience in the authentication assertion. CC ID 13851 | Technical security | Technical Security | |
| Include audience restrictions in the authentication assertion. CC ID 13870 | Technical security | Technical Security | |
| Include the issue date in the authentication assertion. CC ID 13850 | Technical security | Technical Security | |
| Revoke authentication assertions, as necessary. CC ID 16534 | Technical security | Technical Security | |
| Include the expiration date in the authentication assertion. CC ID 13849 | Technical security | Technical Security | |
| Include identifiers in the authentication assertion. CC ID 13848 | Technical security | Technical Security | |
| Include digital signatures in the authentication assertion. CC ID 13847 | Technical security | Technical Security | |
| Include key binding in the authentication assertion. CC ID 13846 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: that the person identified in the Electronic Attestation Certificate rm_primary-verb">holds, at the relevant time, the Signature Creation Device referred to in the certificate; Article (21) One:(c)(2)] | Technical security | Technical Security | |
| Include attribute references in the authentication assertion. CC ID 13845 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to any agreement or course of dealing which the Originator has with the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate, or any trade usage or practice which may be applicable; Article (18)(3)(f) {electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to any other relevant factor Article (18)(3)(g)] | Technical security | Technical Security | |
| Include attribute values in the authentication assertion. CC ID 13844 [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to the value or importance of the underlying transaction, if this known to the party relying on the Electronic Signature; Article (18)(3)(b)] | Technical security | Technical Security | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
| Control access rights to organizational assets. CC ID 00004 [A Signatory shall: exercise reasonable care to avoid the unauthorized use of its Signature Creation Device; Article (19) One:(2)] | Technical security | Technical Security | |
| Configure access control lists in accordance with organizational standards. CC ID 16465 | Technical security | Configuration | |
| Add all devices requiring access control to the Access Control List. CC ID 06264 | Technical security | Establish/Maintain Documentation | |
| Generate but refrain from storing authenticators or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 | Technical security | Technical Security | |
| Define roles for information systems. CC ID 12454 | Technical security | Human Resources Management | |
| Define access needs for each role assigned to an information system. CC ID 12455 | Technical security | Human Resources Management | |
| Define access needs for each system component of an information system. CC ID 12456 | Technical security | Technical Security | |
| Define the level of privilege required for each system component of an information system. CC ID 12457 | Technical security | Technical Security | |
| Establish access rights based on least privilege. CC ID 01411 | Technical security | Technical Security | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Technical Security | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Technical Security | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Configuration | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 | Technical security | Technical Security | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Technical Security | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 | Technical security | Configuration | |
| Limit concurrent sessions according to account type. CC ID 01416 | Technical security | Configuration | |
| Establish session authenticity through Transport Layer Security. CC ID 01627 | Technical security | Technical Security | |
| Configure the "tlsverify" argument to organizational standards. CC ID 14460 | Technical security | Configuration | |
| Configure the "tlscacert" argument to organizational standards. CC ID 14521 | Technical security | Configuration | |
| Configure the "tlscert" argument to organizational standards. CC ID 14520 | Technical security | Configuration | |
| Configure the "tlskey" argument to organizational standards. CC ID 14519 | Technical security | Configuration | |
| Enable access control for objects and users on each system. CC ID 04553 | Technical security | Configuration | |
| Include all system components in the access control system. CC ID 11939 | Technical security | Technical Security | |
| Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Process or Activity | |
| Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Technical Security | |
| Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
| Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Technical Security | |
| Include the objects and users subject to access control in the security policy. CC ID 11836 | Technical security | Establish/Maintain Documentation | |
| Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
| Enforce access restrictions for change control. CC ID 01428 | Technical security | Technical Security | |
| Enforce access restrictions for restricted data. CC ID 01921 | Technical security | Data and Information Management | |
| Permit a limited set of user actions absent identification and authentication. CC ID 04849 | Technical security | Technical Security | |
| Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 | Technical security | Technical Security | |
| Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 | Technical security | Establish/Maintain Documentation | |
| Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 | Technical security | Establish/Maintain Documentation | |
| Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 | Technical security | Technical Security | |
| Display previous logon information in the logon banner. CC ID 01415 | Technical security | Configuration | |
| Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 | Technical security | Establish/Maintain Documentation | |
| Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 | Technical security | Technical Security | |
| Establish, implement, and maintain a system and information integrity policy. CC ID 14034 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain system and information integrity procedures. CC ID 14051 [A Certification Service Provider shall: utilize trustworthy systems, procedures and human resources in performing its services; Article (21) One:(e)] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 | Technical security | Communicate | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 | Technical security | Technical Security | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Data and Information Management | |
| Include the issuer in digital signatures. CC ID 13831 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: the method used to identify the Signatory; Article (21) One:(c)(3) An Electronic Attestation Certificate shall state: the identity of the Certification Service Provider; Article (21) Three:(a)] | Technical security | Data and Information Management | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 | Technical security | Technical Security | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 [Where the Originator has stated that the Data Message is conditional on receipt of the acknowledgment, the Data Message is treated as though it had never been sent until the acknowledgment is received Article (14)(3)] | Technical security | Technical Security | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Establish/Maintain Documentation | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: that the Signature Creation Device is valid and has not been compromised; Article (21) One:(c)(5)] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 [A Signatory shall: not unlawfully use its Signature Creation Device; Article (19) One:(1)] | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741 [A Certification Service Provider shall: provide a means for Signatories to give notice that the Signature Creation Device has been compromised and ensure the availability of a timely signature revocation service; Article (21) One:(d)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: any limitation on the purpose or value for which the Signature Creation Device may be used; Article (21) One:(c)(4) An Electronic Attestation Certificate shall state: any limitations on the purposes or value for which the Signature Creation Device or the Electronic Attestation Certificate may be used; Article (21) Three:(d)] | Operational management | Establish/Maintain Documentation | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
| Identify the sender in all electronic messages. CC ID 13996 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: such information, if any, is retained as enables the identification of the origin and destination of the Data Message and the date and time when it was sent or received Article (5)(1)(c)] | Operational management | Data and Information Management | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 [{not been received} Where the Originator has asked for an acknowledgement but has not stated that the Data Message is conditional on receipt of the acknowledgment within the time specified or agreed, or if no time has been specified or agreed within a reasonable time, the Originator: may give notice to the Addressee stating that no acknowledgment has been received and specifying a reasonable time by which the acknowledgment must be received; and Article (14)(4)(a)] | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 [Where the Originator has asked for an acknowledgement but has not stated that the Data Message is conditional on receipt of the acknowledgment within the time specified or agreed, or if no time has been specified or agreed within a reasonable time, the Originator: if the acknowledgement is not received within the time specified in para (a) of this subsection, may treat the Data Message as though it has never been sent, or exercise any other rights it may have Article (14)(4)(b)] | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [A Certification Service Provider shall: act in accordance with representations made by it with respect to its policies and practices; Article (21) One:(a)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Service Management System. CC ID 13889 | Operational management | Business Processes | |
| Establish, implement, and maintain a service management program. CC ID 11388 | Operational management | Establish/Maintain Documentation | |
| Include continuity plans in the Service Management program. CC ID 13919 [A Certification Service Provider shall: provide a means for Signatories to give notice that the Signature Creation Device has been compromised and ensure the availability of a timely signature revocation service; Article (21) One:(d)] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Business Processes | |
| Assign an information owner to organizational assets, as necessary. CC ID 12729 [An Electronic Attestation Certificate shall state: that the person identified in the Electronic Attestation Certificate holds, at the relevant time, the Signature Creation Device referred to in the certificate; Article (21) Three:(b)] | Operational management | Human Resources Management | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
| Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Establish/Maintain Documentation | |
| Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652 [In assessing the evidential weight of Electronic Information, regard shall be given to: any other factor that may be relevant Article (10)(2)(e)] | Operational management | Establish/Maintain Documentation | |
| Retain collected evidence for potential future legal actions. CC ID 01235 | Operational management | Records Management | |
| Define the business scenarios that require digital forensic evidence. CC ID 08653 | Operational management | Establish/Maintain Documentation | |
| Define the circumstances for collecting digital forensic evidence. CC ID 08657 | Operational management | Establish/Maintain Documentation | |
| Identify potential sources of digital forensic evidence. CC ID 08651 [{refrain from preventing} In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to prevent the admission of a Data Message or Electronic Signature in evidence: if it is the best evidence that the person adducing it could reasonably be expected to obtain, on the grounds that the message or signature is not original or in its original form Article (10)(1)(b)] | Operational management | Investigate | |
| Document the legal requirements for evidence collection. CC ID 08654 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the digital forensic evidence collection program. CC ID 15724 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 | Operational management | Records Management | |
| Perform automated processes according to business requirements. CC ID 14325 [As between the Originator and the Addressee, a Data Message is deemed to be that of the Originator if it was sent: by an Automated Information System programmed by or on behalf of the Originator to operate automatically Article (13)(2)(b)] | Operational management | Business Processes | |
| Conduct transactions, as necessary. CC ID 14378 | Operational management | Business Processes | |
| Implement data content requirements and data condition requirements for all transactions. CC ID 14410 | Operational management | Business Processes | |
| Keep code sets open until resolved. CC ID 14409 | Operational management | Business Processes | |
| Refrain from using incentives to conduct transactions. CC ID 14408 | Operational management | Business Processes | |
| Refrain from charging fees to conduct transactions. CC ID 14415 | Operational management | Business Processes | |
| Refrain from rejecting standard transactions. CC ID 14406 | Operational management | Business Processes | |
| Refrain from rejecting transactions containing extra data. CC ID 14407 | Operational management | Business Processes | |
| Translate standard transactions, as necessary. CC ID 14405 | Operational management | Business Processes | |
| Translate nonstandard transactions, as necessary. CC ID 14404 | Operational management | Business Processes | |
| Process transactions, as necessary. CC ID 14403 | Operational management | Business Processes | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disable or configure the e-mail server, as necessary. CC ID 06563 | System hardening through configuration management | Configuration | |
| Configure e-mail servers to enable receiver-side verification. CC ID 12223 [Where the Originator receives the Addressee's acknowledgment of receipt, it is presumed, unless evidence to the contrary is adduced, that the related Data Message was received by the Addressee, but that presumption does not imply that the content of the Data Message sent by the Originator corresponds to the content of the message received from the Addressee Article (14)(5)] | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a record classification scheme. CC ID 00914 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic signature requirements. CC ID 06219 [Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: is reliable; Article (10)(3)(a) Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: is the signature of the person to whom it correlates; and Article (10)(3)(b) {be unique} {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: unique to the person using it; Article (17)(1)(a) Signatures complying with the requirements of laws of another state may be recognized as legally equivalent to signatures under this Law if the laws of the other state require a level of reliability at least equivalent to that required for such signatures under this Law Article (23)(3)] | Records management | Establish/Maintain Documentation | |
| Implement a signature revocation service. CC ID 14417 [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: whether a timely signature revocation service is offered; Article (21) One:(c)(7)] | Records management | Business Processes | |
| Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 [Where a rule of law requires a signature on a document, or provides for certain consequences in the absence of a signature, that rule is satisfied if the document contains a reliable Electronic Signature within the meaning of Article (18) of this Law Article (8)(1) {is not unenforceable} A contract is not invalid or unenforceable solely by reason that Electronic Communication was used in its formation Article (11)(2)] | Records management | Records Management | |
| Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 [Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: was affixed by that person with the intention of signing or approving the Data Message attributed to him Article(10)(3)(c) Absent contrary statutory provision, a person may use any form of Electronic authentication Article (8)(2) Notwithstanding subsections (2) and (3) above: Where parties agree, as between themselves, to the use of certain types of Electronic Signatures or Electronic Attestation Certificates, that agreement shall be recognized as sufficient for the purpose of cross-border recognition between the various jurisdictions of states, unless that agreement would not be valid or effective under applicable law of the UAE Article (23)(6)(b)] | Records management | Technical Security | |
| Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 | Records management | Technical Security | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: Article (5)(1) An obligation to retain documents, records or information in accordance with paragraph (c) of subsection (1) does not extend to any information necessarily or automatically generated solely for the purpose of enabling a message to be sent or received Article (5)(2)] | Records management | Records Management | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
| Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: the Electronic Record is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to represent accurately the information generated, sent or received; Article (5)(1)(a) If a rule of law requires a statement, document, record, transaction or evidence to be in writing or provides for certain consequences if it is not, an Electronic Document or Record satisfies the requirement if the provisions of subsection (1) of Article (5) of this Law are complied with Article (7)] | Records management | Records Management | |
| Process restricted information in a secure environment. CC ID 13058 | Records management | Process or Activity | |
| Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records management | Records Management | |
| Establish, implement, and maintain data completeness controls. CC ID 11649 [A Certification Service Provider shall: exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the Electronic Attestation Certificate throughout its life cycle or that are included in the certificate; Article (21) One:(b) A Signatory shall: where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle Article {19) One:(4)] | Records management | Process or Activity | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Records Management | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: such information, if any, is retained as enables the identification of the origin and destination of the Data Message and the date and time when it was sent or received Article (5)(1)(c)] | Records management | Log Management | |
| Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Where a rule of law requires a Data Message to be presented or retained in its original form, or provides for certain consequences if not so presented or retained, that requirement is met by a Data Message if: there exists reliable assurance as to the integrity of the information contained in the Data Message from the time when it was first generated in its final form, as an Electronic Document or Record. The criteria for assessing integrity shall be whether the information has remained complete and unaltered, apart from the addition of any endorsement and any change which arises in the normal course of communication, storage and display; and Article (9)(1)] | Records management | Establish Roles | |
| Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Process or Activity | |
| Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Data and Information Management | |
| Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Establish/Maintain Documentation | |
| Establish and maintain access controls for all records. CC ID 00371 [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: the information contained therein is accessible so as to be usable for subsequent reference; and Article (5)(1)(b)] | Records management | Records Management | |
| Establish, implement, and maintain output distribution procedures. CC ID 00927 [Where a rule of law requires a Data Message to be presented or retained in its original form, or provides for certain consequences if not so presented or retained, that requirement is met by a Data Message if: if the message allows, when required, the display of the information sought to be presented Article (9)(2)] | Records management | Establish/Maintain Documentation | |
| Include printed output in output distribution procedures. CC ID 13477 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an e-discovery program. CC ID 00976 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain legal hold procedures for data and records. CC ID 06810 [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which the integrity of the information was maintained; Article (10)(2)(b)] | Records management | Records Management | |
| Document the evidential weight of the information and the information processing assets. CC ID 00624 [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which one or more of the operations of executing, entering, generating, processing, storing, presenting or communicating was performed; Article (10)(2)(a)] | Records management | Establish/Maintain Documentation | |
| Tailor the e-discovery search methodology to evolve with e-discovery rules. CC ID 00625 | Records management | Records Management | |
| Use precedent from the context of paper discovery in the context of e-discovery. CC ID 00626 [{refrain from preventing} In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to prevent the admission of a Data Message or Electronic Signature in evidence: on the grounds that the message or signature is in Electronic format; or Article (10)(1)(a)] | Records management | Records Management | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
| Define the organization's liability based on the applicable law. CC ID 00504 [A Signatory shall bear the legal consequences of its failure to satisfy the requirements of Section One of this Article Article (19) Two: {electronic attestation certificate} Where an Electronic Signature is supported by a certificate, the Relying Party in respect of such signature shall bear the legal consequences of its failure to take reasonable and necessary steps to verify the validity and enforceability of the certificate, as to whether it is suspended or revoked, and of observing any limitations with respect to the certificate Article (18)(2) {not required} Nothing in this Law shall require any person or employee to use or accept information in Electronic format, but a person's consent to do so may be inferred from his affirmative conduct Article (6)(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [For the purpose of contracting, an offer or the acceptance of an offer may be expressed, in whole or in part, by Electronic Communication Article (11)(1) A contract may be formed by the interaction of Automated Electronic Agents that include two or more Electronic Information Systems preset and preprogrammed to carry out these tasks. Such contract would be valid and enforceable even if no individual was directly involved in the conclusion of the contract within such systems Article (12)(1) A contract may be formed between an Automated Electronic Information System in the possession of a natural or legal person and another natural person, where the latter knows or has reason to know that the such a system will automatically conclude or perform the contract Article (12)(2)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include an indemnification and liability clause in third party contracts. CC ID 06517 [An Electronic Attestation Certificate shall state: any limitation on the scope or extent of liability which the Certification Service Provider accepts to any person Article (21) Three:(e)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain management policy. CC ID 08808 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Use third parties that are compliant with the applicable requirements. CC ID 08818 [{retain} {electronic records} A person may satisfy the requirement referred to in subsection (1) by using the services of any other person, if the conditions in that subsection are complied with Article (5)(3)] | Third Party and supply chain oversight | Business Processes | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 [Notwithstanding subsections (2) and (3) above: Parties to commercial and other transactions may specify that a particular Certification Service Provider, class of Certification Service Providers or class of certificates must be used in connection with Data Messages or signatures submitted to them Article (23)(6)(a)] | Third Party and supply chain oversight | Business Processes | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [A Certification Service Provider shall: be licensed by the Certification Services Controller if operating in the UAE Article (21) One:(f)] | Third Party and supply chain oversight | Business Processes | |