Back

Middle East > Federal Supreme Council

United Arab Emirates Federal Law No. (1) of 2006 On Electronic Commerce and Transactions



AD ID

0003165

AD STATUS

United Arab Emirates Federal Law No. (1) of 2006 On Electronic Commerce and Transactions

ORIGINATOR

Federal Supreme Council

TYPE

Bill or Act

AVAILABILITY

Free

SYNONYMS

Federal Law No. (1) of 2006 On Electronic Commerce and Transactions

United Arab Emirates Federal Law No. (1) of 2006 On Electronic Commerce and Transactions

EFFECTIVE

2006-01-30

ADDED

The document as a whole was last reviewed and released on 2020-04-16T00:00:00-0700.

AD ID

0003165

AD STATUS

Free

ORIGINATOR

Federal Supreme Council

TYPE

Bill or Act

AVAILABILITY

SYNONYMS

Federal Law No. (1) of 2006 On Electronic Commerce and Transactions

United Arab Emirates Federal Law No. (1) of 2006 On Electronic Commerce and Transactions

EFFECTIVE

2006-01-30

ADDED

The document as a whole was last reviewed and released on 2020-04-16T00:00:00-0700.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2021 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within United Arab Emirates Federal Law No. (1) of 2006 On Electronic Commerce and Transactions that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for United Arab Emirates Federal Law No. (1) of 2006 On Electronic Commerce and Transactions are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
55 Mandated Controls - bold    
65 Implied Controls - italic     119 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
239 Total
  • Leadership and high level objectives
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain communication protocols. CC ID 12245 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406
    [A Signatory shall: without undue delay, notify concerned persons if: the Signatory becomes aware that the security of its Signature Creation Device has been compromised; Article (19) One:(3)(a)
    A Signatory shall: without undue delay, notify concerned persons if: the circumstances known to the Signatory give rise to a substantial risk that the security of the Signature Creation Device may have been compromised; and Article (19) One:(3)(b)]
    Establish/Maintain Documentation Preventive
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Monitor and Evaluate Occurrences Preventive
  • Operational and Systems Continuity
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a critical resource list. CC ID 00740 Establish/Maintain Documentation Detective
    Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741
    [A Certification Service Provider shall: provide a means for Signatories to give notice that the Signature Creation Device has been compromised and ensure the availability of a timely signature revocation service; Article (21) One:(d)]
    Establish/Maintain Documentation Preventive
  • Operational management
    74
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information security program. CC ID 00812 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Establish/Maintain Documentation Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: any limitation on the purpose or value for which the Signature Creation Device may be used; Article (21) One:(c)(4)
    An Electronic Attestation Certificate shall state: any limitations on the purposes or value for which the Signature Creation Device or the Electronic Attestation Certificate may be used; Article (21) Three:(d)]
    Establish/Maintain Documentation Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Establish/Maintain Documentation Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Establish/Maintain Documentation Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Technical Security Preventive
    Include prohibiting, copying, or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Establish/Maintain Documentation Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Data and Information Management Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Establish/Maintain Documentation Preventive
    Identify the sender in all electronic messages. CC ID 13996
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: such information, if any, is retained as enables the identification of the origin and destination of the Data Message and the date and time when it was sent or received Article (5)(1)(c)]
    Data and Information Management Preventive
    Establish, implement, and maintain a use of information agreement. CC ID 06215 Establish/Maintain Documentation Preventive
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130
    [{not been received} Where the Originator has asked for an acknowledgement but has not stated that the Data Message is conditional on receipt of the acknowledgment within the time specified or agreed, or if no time has been specified or agreed within a reasonable time, the Originator: may give notice to the Addressee stating that no acknowledgment has been received and specifying a reasonable time by which the acknowledgment must be received; and Article (14)(4)(a)]
    Establish/Maintain Documentation Preventive
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418
    [Where the Originator has asked for an acknowledgement but has not stated that the Data Message is conditional on receipt of the acknowledgment within the time specified or agreed, or if no time has been specified or agreed within a reasonable time, the Originator: if the acknowledgement is not received within the time specified in para (a) of this subsection, may treat the Data Message as though it has never been sent, or exercise any other rights it may have Article (14)(4)(b)]
    Establish/Maintain Documentation Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Business Processes Preventive
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [A Certification Service Provider shall: act in accordance with representations made by it with respect to its policies and practices; Article (21) One:(a)]
    Establish/Maintain Documentation Preventive
    Include continuity plans in the Service Management program. CC ID 13919
    [A Certification Service Provider shall: provide a means for Signatories to give notice that the Signature Creation Device has been compromised and ensure the availability of a timely signature revocation service; Article (21) One:(d)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630 Business Processes Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729
    [An Electronic Attestation Certificate shall state: that the person identified in the Electronic Attestation Certificate holds, at the relevant time, the Signature Creation Device referred to in the certificate; Article (21) Three:(b)]
    Human Resources Management Preventive
    Establish, implement, and maintain a customer service program. CC ID 00846 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853 Business Processes Preventive
    Include intrusion detection procedures in the Incident Management program. CC ID 00588 Establish/Maintain Documentation Preventive
    Contain the incident to prevent further loss and preserve the system for forensic analysis. CC ID 01751 Process or Activity Corrective
    Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 Establish/Maintain Documentation Preventive
    Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674
    [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the source of information, if identifiable; Article (10)(2)(c)
    In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which the Originator was identified; Article (10)(2)(d)]
    Establish/Maintain Documentation Detective
    Provide and display problem management contact information to customers. CC ID 06386
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: whether means exist for the Signatory to give notice pursuant to this Law; Article (21) One:(c)(6)]
    Establish/Maintain Documentation Corrective
    Establish, implement, and maintain an Incident Response program. CC ID 00579 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652
    [In assessing the evidential weight of Electronic Information, regard shall be given to: any other factor that may be relevant Article (10)(2)(e)]
    Establish/Maintain Documentation Preventive
    Retain collected evidence for potential future legal actions. CC ID 01235 Records Management Preventive
    Protect devices containing digital forensic evidence during transport. CC ID 08687 Investigate Detective
    Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 Investigate Detective
    Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 Establish/Maintain Documentation Detective
    Define the business scenarios that require digital forensic evidence. CC ID 08653 Establish/Maintain Documentation Preventive
    Define the circumstances for collecting digital forensic evidence. CC ID 08657 Establish/Maintain Documentation Preventive
    Conduct forensic investigations in the event of a security compromise. CC ID 11951 Investigate Corrective
    Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 Communicate Detective
    Identify potential sources of digital forensic evidence. CC ID 08651
    [{refrain from preventing} In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to prevent the admission of a Data Message or Electronic Signature in evidence: if it is the best evidence that the person adducing it could reasonably be expected to obtain, on the grounds that the message or signature is not original or in its original form Article (10)(1)(b)]
    Investigate Preventive
    Document the legal requirements for evidence collection. CC ID 08654 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 Records Management Preventive
    Prepare digital forensic equipment. CC ID 08688 Investigate Detective
    Use digital forensic equipment suitable to the circumstances. CC ID 08690 Investigate Detective
    Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 Investigate Detective
    Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 Establish/Maintain Documentation Detective
    Test the operation of the digital forensic equipment prior to use. CC ID 08694 Testing Detective
    Maintain digital forensic equipment for proper performance. CC ID 08689 Investigate Detective
    Collect evidence from the incident scene. CC ID 02236 Business Processes Corrective
    Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 Establish/Maintain Documentation Detective
    Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 Establish/Maintain Documentation Detective
    Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 Establish/Maintain Documentation Detective
    Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 Establish/Maintain Documentation Detective
    Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 Establish/Maintain Documentation Detective
    Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 Investigate Detective
    Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 Investigate Detective
    Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 Investigate Detective
    Secure devices containing digital forensic evidence. CC ID 08681 Investigate Detective
    Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 Investigate Detective
    Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 Investigate Detective
    Create a system image of the device before collecting digital forensic evidence. CC ID 08673 Investigate Detective
    Shut down stand alone devices containing digital forensic evidence. CC ID 08682 Investigate Detective
    Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 Investigate Detective
    Place evidence tape over devices containing digital forensic evidence. CC ID 08683 Investigate Detective
    Perform automated processes according to business requirements. CC ID 14325
    [As between the Originator and the Addressee, a Data Message is deemed to be that of the Originator if it was sent: by an Automated Information System programmed by or on behalf of the Originator to operate automatically Article (13)(2)(b)]
    Business Processes Preventive
    Conduct transactions, as necessary. CC ID 14378 Business Processes Preventive
    Implement data content requirements and data condition requirements for all transactions. CC ID 14410 Business Processes Preventive
    Keep code sets open until resolved. CC ID 14409 Business Processes Preventive
    Refrain from using incentives to conduct transactions. CC ID 14408 Business Processes Preventive
    Refrain from charging fees to conduct transactions. CC ID 14415 Business Processes Preventive
    Refrain from rejecting standard transactions. CC ID 14406 Business Processes Preventive
    Refrain from rejecting transactions containing extra data. CC ID 14407 Business Processes Preventive
    Translate standard transactions, as necessary. CC ID 14405 Business Processes Preventive
    Translate nonstandard transactions, as necessary. CC ID 14404 Business Processes Preventive
    Process transactions, as necessary. CC ID 14403 Business Processes Preventive
  • Physical and environmental protection
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Physical and environmental protection CC ID 00709 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a physical security program. CC ID 11757 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 Monitor and Evaluate Occurrences Detective
    Protect assets from tampering or unapproved substitution. CC ID 11902
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: that the Signature Creation Device is valid and has not been compromised; Article (21) One:(c)(5)]
    Physical and Environmental Protection Preventive
    Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 Physical and Environmental Protection Preventive
    Protect distributed assets against theft. CC ID 06799 Physical and Environmental Protection Preventive
    Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682
    [A Signatory shall: not unlawfully use its Signature Creation Device; Article (19) One:(1)]
    Technical Security Preventive
    Monitor the location of distributed assets. CC ID 11684
    [{disregard} In determining whether an Electronic Attestation Certificate or an Electronic Signature is legally effective, no regard shall be had to the place where the Certificate or the Electronic Signature was issued, nor to the jurisdiction in which the issuer of the Electronic Attestation Certificate or Signature had its place of business Article (23)(1)]
    Monitor and Evaluate Occurrences Detective
  • Privacy protection for information and data
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Establish/Maintain Documentation Preventive
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Data and Information Management Preventive
    Define the organization's liability based on the applicable law. CC ID 00504
    [A Signatory shall bear the legal consequences of its failure to satisfy the requirements of Section One of this Article Article (19) Two:
    {electronic attestation certificate} Where an Electronic Signature is supported by a certificate, the Relying Party in respect of such signature shall bear the legal consequences of its failure to take reasonable and necessary steps to verify the validity and enforceability of the certificate, as to whether it is suspended or revoked, and of observing any limitations with respect to the certificate Article (18)(2)
    {not required} Nothing in this Law shall require any person or employee to use or accept information in Electronic format, but a person's consent to do so may be inferred from his affirmative conduct Article (6)(1)]
    Establish/Maintain Documentation Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Establish/Maintain Documentation Preventive
  • Records management
    37
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Records management CC ID 00902 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain records management policies. CC ID 00903 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a record classification scheme. CC ID 00914 Establish/Maintain Documentation Preventive
    Establish and maintain Records Management procedures. CC ID 00919 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data accuracy controls. CC ID 00921
    [A Certification Service Provider shall: exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the Electronic Attestation Certificate throughout its life cycle or that are included in the certificate; Article (21) One:(b)
    A Signatory shall: where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle Article {19) One:(4)]
    Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain data completeness controls. CC ID 11649
    [A Certification Service Provider shall: exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the Electronic Attestation Certificate throughout its life cycle or that are included in the certificate; Article (21) One:(b)
    A Signatory shall: where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle Article {19) One:(4)]
    Process or Activity Preventive
    Establish, implement, and maintain data processing integrity controls. CC ID 00923
    [Where a rule of law requires a Data Message to be presented or retained in its original form, or provides for certain consequences if not so presented or retained, that requirement is met by a Data Message if: there exists reliable assurance as to the integrity of the information contained in the Data Message from the time when it was first generated in its final form, as an Electronic Document or Record. The criteria for assessing integrity shall be whether the information has remained complete and unaltered, apart from the addition of any endorsement and any change which arises in the normal course of communication, storage and display; and Article (9)(1)]
    Establish Roles Preventive
    Compare each record's data input to its final form. CC ID 11813 Records Management Detective
    Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 Data and Information Management Preventive
    Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain output distribution procedures. CC ID 00927
    [Where a rule of law requires a Data Message to be presented or retained in its original form, or provides for certain consequences if not so presented or retained, that requirement is met by a Data Message if: if the message allows, when required, the display of the information sought to be presented Article (9)(2)]
    Establish/Maintain Documentation Preventive
    Include printed output in output distribution procedures. CC ID 13477 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain electronic signature requirements. CC ID 06219
    [Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: is reliable; Article (10)(3)(a)
    Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: is the signature of the person to whom it correlates; and Article (10)(3)(b)
    {be unique} {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: unique to the person using it; Article (17)(1)(a)
    Signatures complying with the requirements of laws of another state may be recognized as legally equivalent to signatures under this Law if the laws of the other state require a level of reliability at least equivalent to that required for such signatures under this Law Article (23)(3)]
    Establish/Maintain Documentation Preventive
    Implement a signature revocation service. CC ID 14417
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: whether a timely signature revocation service is offered; Article (21) One:(c)(7)]
    Business Processes Preventive
    Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807
    [Where a rule of law requires a signature on a document, or provides for certain consequences in the absence of a signature, that rule is satisfied if the document contains a reliable Electronic Signature within the meaning of Article (18) of this Law Article (8)(1)
    {is not unenforceable} A contract is not invalid or unenforceable solely by reason that Electronic Communication was used in its formation Article (11)(2)]
    Records Management Preventive
    Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964
    [Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: was affixed by that person with the intention of signing or approving the Data Message attributed to him Article(10)(3)(c)
    Absent contrary statutory provision, a person may use any form of Electronic authentication Article (8)(2)
    Notwithstanding subsections (2) and (3) above: Where parties agree, as between themselves, to the use of certain types of Electronic Signatures or Electronic Attestation Certificates, that agreement shall be recognized as sufficient for the purpose of cross-border recognition between the various jurisdictions of states, unless that agreement would not be valid or effective under applicable law of the UAE Article (23)(6)(b)]
    Technical Security Preventive
    Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 Technical Security Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a data retention program. CC ID 00906 Establish/Maintain Documentation Detective
    Maintain continued integrity for all stored data and stored records. CC ID 00969
    [{not be altered} Absent proof to the contrary, it shall be presumed that a Secure Electronic Record: remained unaltered since creation; and Article (10)(4)(a)
    Absent proof to the contrary, it shall be presumed that a Secure Electronic Record: is reliable Article (10)(4)(b)
    If a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved has been properly applied to an Electronic Record to verify that the Electronic Record has not been altered since a specified point in time, such record shall be treated as a Secure Electronic Record from such specified point in time to the time of verification Article (16)(1)]
    Testing Detective
    Determine how long to keep records and logs before disposing them. CC ID 11661 Process or Activity Preventive
    Retain records in accordance with applicable requirements. CC ID 00968
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: Article (5)(1)
    An obligation to retain documents, records or information in accordance with paragraph (c) of subsection (1) does not extend to any information necessarily or automatically generated solely for the purpose of enabling a message to be sent or received Article (5)(2)]
    Records Management Preventive
    Establish, implement, and maintain records management procedures. CC ID 11619 Establish/Maintain Documentation Preventive
    Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: the Electronic Record is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to represent accurately the information generated, sent or received; Article (5)(1)(a)
    If a rule of law requires a statement, document, record, transaction or evidence to be in writing or provides for certain consequences if it is not, an Electronic Document or Record satisfies the requirement if the provisions of subsection (1) of Article (5) of this Law are complied with Article (7)]
    Records Management Preventive
    Process restricted information in a secure environment. CC ID 13058 Process or Activity Preventive
    Refrain from creating printed records as copies of electronic records. CC ID 11808 Records Management Preventive
    Capture the records required by organizational compliance requirements. CC ID 00912 Records Management Detective
    Log records as being received into the recordkeeping system. CC ID 11696 Records Management Preventive
    Log the date and time each item is received into the recordkeeping system. CC ID 11709
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: such information, if any, is retained as enables the identification of the origin and destination of the Data Message and the date and time when it was sent or received Article (5)(1)(c)]
    Log Management Preventive
    Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 Establish/Maintain Documentation Preventive
    Establish and maintain access controls for all records. CC ID 00371
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: the information contained therein is accessible so as to be usable for subsequent reference; and Article (5)(1)(b)]
    Records Management Preventive
    Establish, implement, and maintain an e-discovery program. CC ID 00976 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain legal hold procedures for data and records. CC ID 06810
    [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which the integrity of the information was maintained; Article (10)(2)(b)]
    Records Management Preventive
    Document the evidential weight of the information and the information processing assets. CC ID 00624
    [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which one or more of the operations of executing, entering, generating, processing, storing, presenting or communicating was performed; Article (10)(2)(a)]
    Establish/Maintain Documentation Preventive
    Tailor the e-discovery search methodology to evolve with e-discovery rules. CC ID 00625 Records Management Preventive
    Use precedent from the context of paper discovery in the context of e-discovery. CC ID 00626
    [{refrain from preventing} In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to prevent the admission of a Data Message or Electronic Signature in evidence: on the grounds that the message or signature is in Electronic format; or Article (10)(1)(a)]
    Records Management Preventive
  • System hardening through configuration management
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    System hardening through configuration management CC ID 00860 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain system hardening procedures. CC ID 12001 Establish/Maintain Documentation Preventive
    Disable or configure the e-mail server, as necessary. CC ID 06563 Configuration Preventive
    Configure e-mail servers to enable receiver-side verification. CC ID 12223
    [Where the Originator receives the Addressee's acknowledgment of receipt, it is presumed, unless evidence to the contrary is adduced, that the related Data Message was received by the Addressee, but that presumption does not imply that the content of the Data Message sent by the Originator corresponds to the content of the message received from the Addressee Article (14)(5)]
    Configuration Preventive
  • Technical security
    83
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a digital identity management program. CC ID 13713 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain digital identification procedures. CC ID 13714 Establish/Maintain Documentation Preventive
    Implement digital identification processes. CC ID 13731 Process or Activity Preventive
    Implement identity proofing processes. CC ID 13719 Process or Activity Preventive
    Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787
    [As between the Originator and the Addressee, a Data Message is deemed to be that of the Originator if it was sent: by a person who had the authority to act on behalf of the Originator in respect of the Data Message; Article (13)(2)(a)]
    Process or Activity Preventive
    Implement federated identity systems, as necessary. CC ID 13837 Technical Security Preventive
    Authenticate all systems in a federated identity system. CC ID 13835 Technical Security Preventive
    Send and receive authentication assertions, as necessary. CC ID 13839
    [A person may rely on an Electronic Signature or Electronic Attestation Certificate to the extent that such reliance rm_secondary-verb">is reasonable Article (18)(1)
    Where the Originator has not agreed with the Addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given by: any conduct of the addressee, sufficient to y-verb">or:#B7D8ED;" class="term_primary-verb">indicate to the Originator that the pan style="background-color:#F0BBBC;" class="term_primary-noun">Data Message has been received Article (14)(2)(b)]
    Technical Security Preventive
    Make the assertion reference for authentication assertions single-use. CC ID 13843 Technical Security Preventive
    Validate the issuer in the authentication assertion. CC ID 13878
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: the identity of the olor:#F0BBBC;" class="term_primary-noun">Certification Service Provider; Article (21) One:(c)(1)]
    Technical Security Detective
    Limit the lifetime of the assertion reference. CC ID 13874 Technical Security Preventive
    Refrain from using authentication assertions that have expired. CC ID 13872 Technical Security Preventive
    Include the issuer identifier in the authentication assertion. CC ID 13865 Technical Security Preventive
    Include attribute metadata in the authentication assertion. CC ID 13856 Technical Security Preventive
    Include the authentication time in the authentication assertion. CC ID 13855 Technical Security Preventive
    Validate each element within the authentication assertion. CC ID 13853
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to the nature of the underlying transaction that Electronic Signature was intended to support; Article (18)(3)(a)
    Where the acknowledgment received by the Originator states that the related Data Message met technical requirements, either agreed upon or set forth in applicable standards, it is mary-verb">presumed, unless evidence to the contrary is adduced, that those requirements have been term_secondary-verb">#B7D8ED;" class="term_primary-verb">met Article (14)(6)
    Where the Originator has not agreed with the Addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given byy-verb">: any n style="background-color:#F0BBBC;" class="term_primary-noun">communication by the n style="background-color:#F0BBBC;" class="term_primary-noun">Addressee, electronic, automated or otherwise; or Article (14)(2)(a)]
    Technical Security Preventive
    Validate the timestamp in the authentication assertion. CC ID 13875
    [An Electronic Attestation Certificate shall state: that the Signature Creation Device was effective at or before the date when the certificate was issued; Article (21) Three:(c)]
    Technical Security Detective
    Validate the digital signature in the authentication assertion. CC ID 13869
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate had taken appropriate steps to determine the reliability of the Electronic Signature or the Electronic Attestation Certificate; Article (18)(3)(c)
    {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: linked to the Electronic Record to which it relates in a manner which provides reliable n">assurance as to the <span style="background-color:#F0BBBC;" class="term_primary-noun">integrity of the signature such that if the record was changed the Electronic Signature would be d-color:#CBD0E5;" class="term_secondary-verb">invalidated Article (17)(1)(d)
    {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: was, at the time of signing, under the sole 7D8ED;" class="term_primary-verb">control of the Signatory in terms of the creation data and the means used; and Article (17)(1)(c)
    {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: capable of >identifying such person; Article (17)(1)(b)]
    Technical Security Detective
    Validate the signature validation element in the authentication assertion. CC ID 13867
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature had taken appropriate steps to ascertain whether the Electronic Signature was supported or was reasonably expected to have been supported by an Electronic Attestation Certificate; Article (18)(3)(d)
    {electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate knew or ought to have known that the Electronic Signature or the Electronic Attestation Certificate had been compromised or revoked; Article (18)(3)(e)]
    Technical Security Detective
    Validate the audience restriction element in the authentication assertion. CC ID 13866 Technical Security Detective
    Include the subject in the authentication assertion. CC ID 13852 Technical Security Preventive
    Include the target audience in the authentication assertion. CC ID 13851 Technical Security Preventive
    Include audience restrictions in the authentication assertion. CC ID 13870 Technical Security Preventive
    Include the issue date in the authentication assertion. CC ID 13850 Technical Security Preventive
    Include the expiration date in the authentication assertion. CC ID 13849 Technical Security Preventive
    Include identifiers in the authentication assertion. CC ID 13848 Technical Security Preventive
    Include digital signatures in the authentication assertion. CC ID 13847 Technical Security Preventive
    Include key binding in the authentication assertion. CC ID 13846
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: that the person identified in the Electronic Attestation Certificate rm_primary-verb">holds, at the relevant time, the Signature Creation Device referred to in the certificate; Article (21) One:(c)(2)]
    Technical Security Preventive
    Include attribute references in the authentication assertion. CC ID 13845
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to any agreement or course of dealing which the Originator has with the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate, or any trade usage or practice which may be applicable; Article (18)(3)(f)
    {electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to any other relevant factor Article (18)(3)(g)]
    Technical Security Preventive
    Include attribute values in the authentication assertion. CC ID 13844
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to the value or importance of the underlying transaction, if this known to the party relying on the Electronic Signature; Article (18)(3)(b)]
    Technical Security Preventive
    Establish, implement, and maintain an access control program. CC ID 11702 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Establish/Maintain Documentation Preventive
    Control access rights to organizational assets. CC ID 00004
    [A Signatory shall: exercise reasonable care to avoid the unauthorized use of its Signature Creation Device; Article (19) One:(2)]
    Technical Security Preventive
    Add all devices requiring access control to the Access Control List. CC ID 06264 Establish/Maintain Documentation Preventive
    Generate but refrain from storing passwords or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 Technical Security Preventive
    Disallow application IDs from running as privileged users. CC ID 10050 Configuration Detective
    Define roles for information systems. CC ID 12454 Human Resources Management Preventive
    Define access needs for each role assigned to an information system. CC ID 12455 Human Resources Management Preventive
    Define access needs for each system component of an information system. CC ID 12456 Technical Security Preventive
    Define the level of privilege required for each system component of an information system. CC ID 12457 Technical Security Preventive
    Establish access rights based on least privilege. CC ID 01411 Technical Security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical Security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical Security Preventive
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Configuration Preventive
    Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 Technical Security Preventive
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Configuration Preventive
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Communicate Corrective
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical Security Preventive
    Establish, implement, and maintain session lock capabilities. CC ID 01417 Configuration Preventive
    Limit concurrent sessions according to account type. CC ID 01416 Configuration Preventive
    Establish session authenticity through Transport Layer Security. CC ID 01627 Technical Security Preventive
    Configure the "tlsverify" argument to organizational standards. CC ID 14460 Configuration Preventive
    Configure the "tlscacert" argument to organizational standards. CC ID 14521 Configuration Preventive
    Configure the "tlscert" argument to organizational standards. CC ID 14520 Configuration Preventive
    Configure the "tlskey" argument to organizational standards. CC ID 14519 Configuration Preventive
    Enable access control for objects and users on each system. CC ID 04553 Configuration Preventive
    Include all system components in the access control system. CC ID 11939 Technical Security Preventive
    Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 Process or Activity Preventive
    Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 Technical Security Preventive
    Enable role-based access control for objects and users on information systems. CC ID 12458 Technical Security Preventive
    Include the objects and users subject to access control in the security policy. CC ID 11836 Establish/Maintain Documentation Preventive
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Establish Roles Preventive
    Enforce access restrictions for change control. CC ID 01428 Technical Security Preventive
    Enforce access restrictions for restricted data. CC ID 01921 Data and Information Management Preventive
    Permit a limited set of user actions absent identification and authentication. CC ID 04849 Technical Security Preventive
    Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 Testing Detective
    Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 Technical Security Preventive
    Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 Establish/Maintain Documentation Preventive
    Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 Establish/Maintain Documentation Preventive
    Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 Technical Security Preventive
    Display previous logon information in the logon banner. CC ID 01415 Configuration Preventive
    Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 Establish/Maintain Documentation Preventive
    Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 Technical Security Preventive
    Establish, implement, and maintain a system and information integrity policy. CC ID 14034 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system and information integrity procedures. CC ID 14051
    [A Certification Service Provider shall: utilize trustworthy systems, procedures and human resources in performing its services; Article (21) One:(e)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 Communicate Preventive
    Manage the use of encryption controls and cryptographic controls. CC ID 00570 Technical Security Preventive
    Establish, implement, and maintain digital signatures. CC ID 13828 Data and Information Management Preventive
    Include the issuer in digital signatures. CC ID 13831
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: the method used to identify the Signatory; Article (21) One:(c)(3)
    An Electronic Attestation Certificate shall state: the identity of the Certification Service Provider; Article (21) Three:(a)]
    Data and Information Management Preventive
    Use strong data encryption to transmit restricted data or restricted information over public networks. CC ID 00564 Technical Security Preventive
    Implement non-repudiation for transactions. CC ID 00567 Testing Detective
    Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416
    [Where the Originator has stated that the Data Message is conditional on receipt of the acknowledgment, the Data Message is treated as though it had never been sent until the acknowledgment is received Article (14)(3)]
    Technical Security Preventive
  • Third Party and supply chain oversight
    15
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a supply chain management program. CC ID 11742 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [For the purpose of contracting, an offer or the acceptance of an offer may be expressed, in whole or in part, by Electronic Communication Article (11)(1)
    A contract may be formed by the interaction of Automated Electronic Agents that include two or more Electronic Information Systems preset and preprogrammed to carry out these tasks. Such contract would be valid and enforceable even if no individual was directly involved in the conclusion of the contract within such systems Article (12)(1)
    A contract may be formed between an Automated Electronic Information System in the possession of a natural or legal person and another natural person, where the latter knows or has reason to know that the such a system will automatically conclude or perform the contract Article (12)(2)]
    Establish/Maintain Documentation Preventive
    Review and update all contracts, as necessary. CC ID 11612 Establish/Maintain Documentation Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 Process or Activity Detective
    Include an indemnification and liability clause in third party contracts. CC ID 06517
    [An Electronic Attestation Certificate shall state: any limitation on the scope or extent of liability which the Certification Service Provider accepts to any person Article (21) Three:(e)]
    Establish/Maintain Documentation Preventive
    Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 Testing Detective
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087
    [Electronic Attestation Certificates issued by a foreign Certification Service Provider are recognized as legally equivalent to Certificates issued by Certification Service Providers operating under this Law, if the practices of the foreign Certification Service Provider provide a level of reliability at least equivalent to that required of Certification Service Providers operating in accordance with this Law, as provided under Article (21), and taking into consideration recognized international standards Article (23)(2)]
    Testing Detective
    Establish, implement, and maintain a supply chain management policy. CC ID 08808 Establish/Maintain Documentation Preventive
    Use third parties that are compliant with the applicable requirements. CC ID 08818
    [{retain} {electronic records} A person may satisfy the requirement referred to in subsection (1) by using the services of any other person, if the conditions in that subsection are complied with Article (5)(3)]
    Business Processes Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Business Processes Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134 Process or Activity Detective
    Request attestation of compliance from third parties. CC ID 12067 Establish/Maintain Documentation Detective
    Require individual attestations of compliance from each location a third party operates in. CC ID 12228
    [Notwithstanding subsections (2) and (3) above: Parties to commercial and other transactions may specify that a particular Certification Service Provider, class of Certification Service Providers or class of certificates must be used in connection with Data Messages or signatures submitted to them Article (23)(6)(a)]
    Business Processes Preventive
    Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819
    [A Certification Service Provider shall: be licensed by the Certification Services Controller if operating in the UAE Article (21) One:(f)]
    Business Processes Preventive
Common Controls and
mandates by Type
55 Mandated Controls - bold    
65 Implied Controls - italic     119 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
239 Total
  • Business Processes
    20
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630 Operational management Preventive
    Establish, implement, and maintain an Incident Management program. CC ID 00853 Operational management Preventive
    Collect evidence from the incident scene. CC ID 02236 Operational management Corrective
    Perform automated processes according to business requirements. CC ID 14325
    [As between the Originator and the Addressee, a Data Message is deemed to be that of the Originator if it was sent: by an Automated Information System programmed by or on behalf of the Originator to operate automatically Article (13)(2)(b)]
    Operational management Preventive
    Conduct transactions, as necessary. CC ID 14378 Operational management Preventive
    Implement data content requirements and data condition requirements for all transactions. CC ID 14410 Operational management Preventive
    Keep code sets open until resolved. CC ID 14409 Operational management Preventive
    Refrain from using incentives to conduct transactions. CC ID 14408 Operational management Preventive
    Refrain from charging fees to conduct transactions. CC ID 14415 Operational management Preventive
    Refrain from rejecting standard transactions. CC ID 14406 Operational management Preventive
    Refrain from rejecting transactions containing extra data. CC ID 14407 Operational management Preventive
    Translate standard transactions, as necessary. CC ID 14405 Operational management Preventive
    Translate nonstandard transactions, as necessary. CC ID 14404 Operational management Preventive
    Process transactions, as necessary. CC ID 14403 Operational management Preventive
    Implement a signature revocation service. CC ID 14417
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: whether a timely signature revocation service is offered; Article (21) One:(c)(7)]
    Records management Preventive
    Use third parties that are compliant with the applicable requirements. CC ID 08818
    [{retain} {electronic records} A person may satisfy the requirement referred to in subsection (1) by using the services of any other person, if the conditions in that subsection are complied with Article (5)(3)]
    Third Party and supply chain oversight Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Third Party and supply chain oversight Preventive
    Require individual attestations of compliance from each location a third party operates in. CC ID 12228
    [Notwithstanding subsections (2) and (3) above: Parties to commercial and other transactions may specify that a particular Certification Service Provider, class of Certification Service Providers or class of certificates must be used in connection with Data Messages or signatures submitted to them Article (23)(6)(a)]
    Third Party and supply chain oversight Preventive
    Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819
    [A Certification Service Provider shall: be licensed by the Certification Services Controller if operating in the UAE Article (21) One:(f)]
    Third Party and supply chain oversight Preventive
  • Communicate
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Technical security Corrective
    Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 Technical security Preventive
    Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 Operational management Detective
  • Configuration
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disallow application IDs from running as privileged users. CC ID 10050 Technical security Detective
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Technical security Preventive
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Technical security Preventive
    Establish, implement, and maintain session lock capabilities. CC ID 01417 Technical security Preventive
    Limit concurrent sessions according to account type. CC ID 01416 Technical security Preventive
    Configure the "tlsverify" argument to organizational standards. CC ID 14460 Technical security Preventive
    Configure the "tlscacert" argument to organizational standards. CC ID 14521 Technical security Preventive
    Configure the "tlscert" argument to organizational standards. CC ID 14520 Technical security Preventive
    Configure the "tlskey" argument to organizational standards. CC ID 14519 Technical security Preventive
    Enable access control for objects and users on each system. CC ID 04553 Technical security Preventive
    Display previous logon information in the logon banner. CC ID 01415 Technical security Preventive
    Disable or configure the e-mail server, as necessary. CC ID 06563 System hardening through configuration management Preventive
    Configure e-mail servers to enable receiver-side verification. CC ID 12223
    [Where the Originator receives the Addressee's acknowledgment of receipt, it is presumed, unless evidence to the contrary is adduced, that the related Data Message was received by the Addressee, but that presumption does not imply that the content of the Data Message sent by the Originator corresponds to the content of the message received from the Addressee Article (14)(5)]
    System hardening through configuration management Preventive
  • Data and Information Management
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Enforce access restrictions for restricted data. CC ID 01921 Technical security Preventive
    Establish, implement, and maintain digital signatures. CC ID 13828 Technical security Preventive
    Include the issuer in digital signatures. CC ID 13831
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: the method used to identify the Signatory; Article (21) One:(c)(3)
    An Electronic Attestation Certificate shall state: the identity of the Certification Service Provider; Article (21) Three:(a)]
    Technical security Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Preventive
    Identify the sender in all electronic messages. CC ID 13996
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: such information, if any, is retained as enables the identification of the origin and destination of the Data Message and the date and time when it was sent or received Article (5)(1)(c)]
    Operational management Preventive
    Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 Records management Preventive
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Preventive
  • Establish Roles
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Technical security Preventive
    Establish, implement, and maintain data processing integrity controls. CC ID 00923
    [Where a rule of law requires a Data Message to be presented or retained in its original form, or provides for certain consequences if not so presented or retained, that requirement is met by a Data Message if: there exists reliable assurance as to the integrity of the information contained in the Data Message from the time when it was first generated in its final form, as an Electronic Document or Record. The criteria for assessing integrity shall be whether the information has remained complete and unaltered, apart from the addition of any endorsement and any change which arises in the normal course of communication, storage and display; and Article (9)(1)]
    Records management Preventive
  • Establish/Maintain Documentation
    73
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain communication protocols. CC ID 12245 Leadership and high level objectives Preventive
    Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406
    [A Signatory shall: without undue delay, notify concerned persons if: the Signatory becomes aware that the security of its Signature Creation Device has been compromised; Article (19) One:(3)(a)
    A Signatory shall: without undue delay, notify concerned persons if: the circumstances known to the Signatory give rise to a substantial risk that the security of the Signature Creation Device may have been compromised; and Article (19) One:(3)(b)]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain a digital identity management program. CC ID 13713 Technical security Preventive
    Establish, implement, and maintain digital identification procedures. CC ID 13714 Technical security Preventive
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Preventive
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Technical security Preventive
    Add all devices requiring access control to the Access Control List. CC ID 06264 Technical security Preventive
    Include the objects and users subject to access control in the security policy. CC ID 11836 Technical security Preventive
    Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 Technical security Preventive
    Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 Technical security Preventive
    Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 Technical security Preventive
    Establish, implement, and maintain a system and information integrity policy. CC ID 14034 Technical security Preventive
    Establish, implement, and maintain system and information integrity procedures. CC ID 14051
    [A Certification Service Provider shall: utilize trustworthy systems, procedures and human resources in performing its services; Article (21) One:(e)]
    Technical security Preventive
    Establish, implement, and maintain a physical security program. CC ID 11757 Physical and environmental protection Preventive
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Preventive
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a critical resource list. CC ID 00740 Operational and Systems Continuity Detective
    Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741
    [A Certification Service Provider shall: provide a means for Signatories to give notice that the Signature Creation Device has been compromised and ensure the availability of a timely signature revocation service; Article (21) One:(d)]
    Operational and Systems Continuity Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Preventive
    Establish, implement, and maintain an information security program. CC ID 00812 Operational management Preventive
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Operational management Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: any limitation on the purpose or value for which the Signature Creation Device may be used; Article (21) One:(c)(4)
    An Electronic Attestation Certificate shall state: any limitations on the purposes or value for which the Signature Creation Device or the Electronic Attestation Certificate may be used; Article (21) Three:(d)]
    Operational management Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Preventive
    Include prohibiting, copying, or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Operational management Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Operational management Preventive
    Establish, implement, and maintain a use of information agreement. CC ID 06215 Operational management Preventive
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130
    [{not been received} Where the Originator has asked for an acknowledgement but has not stated that the Data Message is conditional on receipt of the acknowledgment within the time specified or agreed, or if no time has been specified or agreed within a reasonable time, the Originator: may give notice to the Addressee stating that no acknowledgment has been received and specifying a reasonable time by which the acknowledgment must be received; and Article (14)(4)(a)]
    Operational management Preventive
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418
    [Where the Originator has asked for an acknowledgement but has not stated that the Data Message is conditional on receipt of the acknowledgment within the time specified or agreed, or if no time has been specified or agreed within a reasonable time, the Originator: if the acknowledgement is not received within the time specified in para (a) of this subsection, may treat the Data Message as though it has never been sent, or exercise any other rights it may have Article (14)(4)(b)]
    Operational management Preventive
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [A Certification Service Provider shall: act in accordance with representations made by it with respect to its policies and practices; Article (21) One:(a)]
    Operational management Preventive
    Include continuity plans in the Service Management program. CC ID 13919
    [A Certification Service Provider shall: provide a means for Signatories to give notice that the Signature Creation Device has been compromised and ensure the availability of a timely signature revocation service; Article (21) One:(d)]
    Operational management Preventive
    Establish, implement, and maintain a customer service program. CC ID 00846 Operational management Preventive
    Include intrusion detection procedures in the Incident Management program. CC ID 00588 Operational management Preventive
    Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 Operational management Preventive
    Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674
    [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the source of information, if identifiable; Article (10)(2)(c)
    In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which the Originator was identified; Article (10)(2)(d)]
    Operational management Detective
    Provide and display problem management contact information to customers. CC ID 06386
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: whether means exist for the Signatory to give notice pursuant to this Law; Article (21) One:(c)(6)]
    Operational management Corrective
    Establish, implement, and maintain an Incident Response program. CC ID 00579 Operational management Preventive
    Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652
    [In assessing the evidential weight of Electronic Information, regard shall be given to: any other factor that may be relevant Article (10)(2)(e)]
    Operational management Preventive
    Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 Operational management Detective
    Define the business scenarios that require digital forensic evidence. CC ID 08653 Operational management Preventive
    Define the circumstances for collecting digital forensic evidence. CC ID 08657 Operational management Preventive
    Document the legal requirements for evidence collection. CC ID 08654 Operational management Preventive
    Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 Operational management Preventive
    Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 Operational management Detective
    Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 Operational management Detective
    Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 Operational management Detective
    Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 Operational management Detective
    Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 Operational management Detective
    Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 Operational management Detective
    Establish, implement, and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Preventive
    Establish, implement, and maintain records management policies. CC ID 00903 Records management Preventive
    Establish, implement, and maintain a record classification scheme. CC ID 00914 Records management Preventive
    Establish and maintain Records Management procedures. CC ID 00919 Records management Preventive
    Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 Records management Preventive
    Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 Records management Preventive
    Establish, implement, and maintain output distribution procedures. CC ID 00927
    [Where a rule of law requires a Data Message to be presented or retained in its original form, or provides for certain consequences if not so presented or retained, that requirement is met by a Data Message if: if the message allows, when required, the display of the information sought to be presented Article (9)(2)]
    Records management Preventive
    Include printed output in output distribution procedures. CC ID 13477 Records management Preventive
    Establish, implement, and maintain electronic signature requirements. CC ID 06219
    [Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: is reliable; Article (10)(3)(a)
    Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: is the signature of the person to whom it correlates; and Article (10)(3)(b)
    {be unique} {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: unique to the person using it; Article (17)(1)(a)
    Signatures complying with the requirements of laws of another state may be recognized as legally equivalent to signatures under this Law if the laws of the other state require a level of reliability at least equivalent to that required for such signatures under this Law Article (23)(3)]
    Records management Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Records management Detective
    Establish, implement, and maintain a data retention program. CC ID 00906 Records management Detective
    Establish, implement, and maintain records management procedures. CC ID 11619 Records management Preventive
    Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 Records management Preventive
    Establish, implement, and maintain an e-discovery program. CC ID 00976 Records management Preventive
    Document the evidential weight of the information and the information processing assets. CC ID 00624
    [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which one or more of the operations of executing, entering, generating, processing, storing, presenting or communicating was performed; Article (10)(2)(a)]
    Records management Preventive
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Preventive
    Define the organization's liability based on the applicable law. CC ID 00504
    [A Signatory shall bear the legal consequences of its failure to satisfy the requirements of Section One of this Article Article (19) Two:
    {electronic attestation certificate} Where an Electronic Signature is supported by a certificate, the Relying Party in respect of such signature shall bear the legal consequences of its failure to take reasonable and necessary steps to verify the validity and enforceability of the certificate, as to whether it is suspended or revoked, and of observing any limitations with respect to the certificate Article (18)(2)
    {not required} Nothing in this Law shall require any person or employee to use or accept information in Electronic format, but a person's consent to do so may be inferred from his affirmative conduct Article (6)(1)]
    Privacy protection for information and data Preventive
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Privacy protection for information and data Preventive
    Establish, implement, and maintain a supply chain management program. CC ID 11742 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [For the purpose of contracting, an offer or the acceptance of an offer may be expressed, in whole or in part, by Electronic Communication Article (11)(1)
    A contract may be formed by the interaction of Automated Electronic Agents that include two or more Electronic Information Systems preset and preprogrammed to carry out these tasks. Such contract would be valid and enforceable even if no individual was directly involved in the conclusion of the contract within such systems Article (12)(1)
    A contract may be formed between an Automated Electronic Information System in the possession of a natural or legal person and another natural person, where the latter knows or has reason to know that the such a system will automatically conclude or perform the contract Article (12)(2)]
    Third Party and supply chain oversight Preventive
    Review and update all contracts, as necessary. CC ID 11612 Third Party and supply chain oversight Preventive
    Include an indemnification and liability clause in third party contracts. CC ID 06517
    [An Electronic Attestation Certificate shall state: any limitation on the scope or extent of liability which the Certification Service Provider accepts to any person Article (21) Three:(e)]
    Third Party and supply chain oversight Preventive
    Establish, implement, and maintain a supply chain management policy. CC ID 08808 Third Party and supply chain oversight Preventive
    Request attestation of compliance from third parties. CC ID 12067 Third Party and supply chain oversight Detective
  • Human Resources Management
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Define roles for information systems. CC ID 12454 Technical security Preventive
    Define access needs for each role assigned to an information system. CC ID 12455 Technical security Preventive
    Assign an information owner to organizational assets, as necessary. CC ID 12729
    [An Electronic Attestation Certificate shall state: that the person identified in the Electronic Attestation Certificate holds, at the relevant time, the Signature Creation Device referred to in the certificate; Article (21) Three:(b)]
    Operational management Preventive
  • IT Impact Zone
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Investigate
    18
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Protect devices containing digital forensic evidence during transport. CC ID 08687 Operational management Detective
    Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 Operational management Detective
    Conduct forensic investigations in the event of a security compromise. CC ID 11951 Operational management Corrective
    Identify potential sources of digital forensic evidence. CC ID 08651
    [{refrain from preventing} In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to prevent the admission of a Data Message or Electronic Signature in evidence: if it is the best evidence that the person adducing it could reasonably be expected to obtain, on the grounds that the message or signature is not original or in its original form Article (10)(1)(b)]
    Operational management Preventive
    Prepare digital forensic equipment. CC ID 08688 Operational management Detective
    Use digital forensic equipment suitable to the circumstances. CC ID 08690 Operational management Detective
    Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 Operational management Detective
    Maintain digital forensic equipment for proper performance. CC ID 08689 Operational management Detective
    Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 Operational management Detective
    Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 Operational management Detective
    Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 Operational management Detective
    Secure devices containing digital forensic evidence. CC ID 08681 Operational management Detective
    Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 Operational management Detective
    Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 Operational management Detective
    Create a system image of the device before collecting digital forensic evidence. CC ID 08673 Operational management Detective
    Shut down stand alone devices containing digital forensic evidence. CC ID 08682 Operational management Detective
    Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 Operational management Detective
    Place evidence tape over devices containing digital forensic evidence. CC ID 08683 Operational management Detective
  • Log Management
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Log the date and time each item is received into the recordkeeping system. CC ID 11709
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: such information, if any, is retained as enables the identification of the origin and destination of the Data Message and the date and time when it was sent or received Article (5)(1)(c)]
    Records management Preventive
  • Monitor and Evaluate Occurrences
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Leadership and high level objectives Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Leadership and high level objectives Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Leadership and high level objectives Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Leadership and high level objectives Preventive
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Leadership and high level objectives Preventive
    Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 Physical and environmental protection Detective
    Monitor the location of distributed assets. CC ID 11684
    [{disregard} In determining whether an Electronic Attestation Certificate or an Electronic Signature is legally effective, no regard shall be had to the place where the Certificate or the Electronic Signature was issued, nor to the jurisdiction in which the issuer of the Electronic Attestation Certificate or Signature had its place of business Article (23)(1)]
    Physical and environmental protection Detective
    Establish, implement, and maintain data accuracy controls. CC ID 00921
    [A Certification Service Provider shall: exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the Electronic Attestation Certificate throughout its life cycle or that are included in the certificate; Article (21) One:(b)
    A Signatory shall: where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle Article {19) One:(4)]
    Records management Detective
  • Physical and Environmental Protection
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Protect assets from tampering or unapproved substitution. CC ID 11902
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: that the Signature Creation Device is valid and has not been compromised; Article (21) One:(c)(5)]
    Physical and environmental protection Preventive
    Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 Physical and environmental protection Preventive
    Protect distributed assets against theft. CC ID 06799 Physical and environmental protection Preventive
  • Process or Activity
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement digital identification processes. CC ID 13731 Technical security Preventive
    Implement identity proofing processes. CC ID 13719 Technical security Preventive
    Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787
    [As between the Originator and the Addressee, a Data Message is deemed to be that of the Originator if it was sent: by a person who had the authority to act on behalf of the Originator in respect of the Data Message; Article (13)(2)(a)]
    Technical security Preventive
    Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 Technical security Preventive
    Contain the incident to prevent further loss and preserve the system for forensic analysis. CC ID 01751 Operational management Corrective
    Establish, implement, and maintain data completeness controls. CC ID 11649
    [A Certification Service Provider shall: exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the Electronic Attestation Certificate throughout its life cycle or that are included in the certificate; Article (21) One:(b)
    A Signatory shall: where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle Article {19) One:(4)]
    Records management Preventive
    Determine how long to keep records and logs before disposing them. CC ID 11661 Records management Preventive
    Process restricted information in a secure environment. CC ID 13058 Records management Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 Third Party and supply chain oversight Detective
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Detective
  • Records Management
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Retain collected evidence for potential future legal actions. CC ID 01235 Operational management Preventive
    Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 Operational management Preventive
    Compare each record's data input to its final form. CC ID 11813 Records management Detective
    Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807
    [Where a rule of law requires a signature on a document, or provides for certain consequences in the absence of a signature, that rule is satisfied if the document contains a reliable Electronic Signature within the meaning of Article (18) of this Law Article (8)(1)
    {is not unenforceable} A contract is not invalid or unenforceable solely by reason that Electronic Communication was used in its formation Article (11)(2)]
    Records management Preventive
    Retain records in accordance with applicable requirements. CC ID 00968
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: Article (5)(1)
    An obligation to retain documents, records or information in accordance with paragraph (c) of subsection (1) does not extend to any information necessarily or automatically generated solely for the purpose of enabling a message to be sent or received Article (5)(2)]
    Records management Preventive
    Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: the Electronic Record is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to represent accurately the information generated, sent or received; Article (5)(1)(a)
    If a rule of law requires a statement, document, record, transaction or evidence to be in writing or provides for certain consequences if it is not, an Electronic Document or Record satisfies the requirement if the provisions of subsection (1) of Article (5) of this Law are complied with Article (7)]
    Records management Preventive
    Refrain from creating printed records as copies of electronic records. CC ID 11808 Records management Preventive
    Capture the records required by organizational compliance requirements. CC ID 00912 Records management Detective
    Log records as being received into the recordkeeping system. CC ID 11696 Records management Preventive
    Establish and maintain access controls for all records. CC ID 00371
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: the information contained therein is accessible so as to be usable for subsequent reference; and Article (5)(1)(b)]
    Records management Preventive
    Establish, implement, and maintain legal hold procedures for data and records. CC ID 06810
    [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which the integrity of the information was maintained; Article (10)(2)(b)]
    Records management Preventive
    Tailor the e-discovery search methodology to evolve with e-discovery rules. CC ID 00625 Records management Preventive
    Use precedent from the context of paper discovery in the context of e-discovery. CC ID 00626
    [{refrain from preventing} In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to prevent the admission of a Data Message or Electronic Signature in evidence: on the grounds that the message or signature is in Electronic format; or Article (10)(1)(a)]
    Records management Preventive
  • Technical Security
    50
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement federated identity systems, as necessary. CC ID 13837 Technical security Preventive
    Authenticate all systems in a federated identity system. CC ID 13835 Technical security Preventive
    Send and receive authentication assertions, as necessary. CC ID 13839
    [A person may rely on an Electronic Signature or Electronic Attestation Certificate to the extent that such reliance rm_secondary-verb">is reasonable Article (18)(1)
    Where the Originator has not agreed with the Addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given by: any conduct of the addressee, sufficient to y-verb">or:#B7D8ED;" class="term_primary-verb">indicate to the Originator that the pan style="background-color:#F0BBBC;" class="term_primary-noun">Data Message has been received Article (14)(2)(b)]
    Technical security Preventive
    Make the assertion reference for authentication assertions single-use. CC ID 13843 Technical security Preventive
    Validate the issuer in the authentication assertion. CC ID 13878
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: the identity of the olor:#F0BBBC;" class="term_primary-noun">Certification Service Provider; Article (21) One:(c)(1)]
    Technical security Detective
    Limit the lifetime of the assertion reference. CC ID 13874 Technical security Preventive
    Refrain from using authentication assertions that have expired. CC ID 13872 Technical security Preventive
    Include the issuer identifier in the authentication assertion. CC ID 13865 Technical security Preventive
    Include attribute metadata in the authentication assertion. CC ID 13856 Technical security Preventive
    Include the authentication time in the authentication assertion. CC ID 13855 Technical security Preventive
    Validate each element within the authentication assertion. CC ID 13853
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to the nature of the underlying transaction that Electronic Signature was intended to support; Article (18)(3)(a)
    Where the acknowledgment received by the Originator states that the related Data Message met technical requirements, either agreed upon or set forth in applicable standards, it is mary-verb">presumed, unless evidence to the contrary is adduced, that those requirements have been term_secondary-verb">#B7D8ED;" class="term_primary-verb">met Article (14)(6)
    Where the Originator has not agreed with the Addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given byy-verb">: any n style="background-color:#F0BBBC;" class="term_primary-noun">communication by the n style="background-color:#F0BBBC;" class="term_primary-noun">Addressee, electronic, automated or otherwise; or Article (14)(2)(a)]
    Technical security Preventive
    Validate the timestamp in the authentication assertion. CC ID 13875
    [An Electronic Attestation Certificate shall state: that the Signature Creation Device was effective at or before the date when the certificate was issued; Article (21) Three:(c)]
    Technical security Detective
    Validate the digital signature in the authentication assertion. CC ID 13869
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate had taken appropriate steps to determine the reliability of the Electronic Signature or the Electronic Attestation Certificate; Article (18)(3)(c)
    {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: linked to the Electronic Record to which it relates in a manner which provides reliable n">assurance as to the <span style="background-color:#F0BBBC;" class="term_primary-noun">integrity of the signature such that if the record was changed the Electronic Signature would be d-color:#CBD0E5;" class="term_secondary-verb">invalidated Article (17)(1)(d)
    {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: was, at the time of signing, under the sole 7D8ED;" class="term_primary-verb">control of the Signatory in terms of the creation data and the means used; and Article (17)(1)(c)
    {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: capable of >identifying such person; Article (17)(1)(b)]
    Technical security Detective
    Validate the signature validation element in the authentication assertion. CC ID 13867
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature had taken appropriate steps to ascertain whether the Electronic Signature was supported or was reasonably expected to have been supported by an Electronic Attestation Certificate; Article (18)(3)(d)
    {electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate knew or ought to have known that the Electronic Signature or the Electronic Attestation Certificate had been compromised or revoked; Article (18)(3)(e)]
    Technical security Detective
    Validate the audience restriction element in the authentication assertion. CC ID 13866 Technical security Detective
    Include the subject in the authentication assertion. CC ID 13852 Technical security Preventive
    Include the target audience in the authentication assertion. CC ID 13851 Technical security Preventive
    Include audience restrictions in the authentication assertion. CC ID 13870 Technical security Preventive
    Include the issue date in the authentication assertion. CC ID 13850 Technical security Preventive
    Include the expiration date in the authentication assertion. CC ID 13849 Technical security Preventive
    Include identifiers in the authentication assertion. CC ID 13848 Technical security Preventive
    Include digital signatures in the authentication assertion. CC ID 13847 Technical security Preventive
    Include key binding in the authentication assertion. CC ID 13846
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: that the person identified in the Electronic Attestation Certificate rm_primary-verb">holds, at the relevant time, the Signature Creation Device referred to in the certificate; Article (21) One:(c)(2)]
    Technical security Preventive
    Include attribute references in the authentication assertion. CC ID 13845
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to any agreement or course of dealing which the Originator has with the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate, or any trade usage or practice which may be applicable; Article (18)(3)(f)
    {electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to any other relevant factor Article (18)(3)(g)]
    Technical security Preventive
    Include attribute values in the authentication assertion. CC ID 13844
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to the value or importance of the underlying transaction, if this known to the party relying on the Electronic Signature; Article (18)(3)(b)]
    Technical security Preventive
    Control access rights to organizational assets. CC ID 00004
    [A Signatory shall: exercise reasonable care to avoid the unauthorized use of its Signature Creation Device; Article (19) One:(2)]
    Technical security Preventive
    Generate but refrain from storing passwords or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 Technical security Preventive
    Define access needs for each system component of an information system. CC ID 12456 Technical security Preventive
    Define the level of privilege required for each system component of an information system. CC ID 12457 Technical security Preventive
    Establish access rights based on least privilege. CC ID 01411 Technical security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical security Preventive
    Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 Technical security Preventive
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical security Preventive
    Establish session authenticity through Transport Layer Security. CC ID 01627 Technical security Preventive
    Include all system components in the access control system. CC ID 11939 Technical security Preventive
    Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 Technical security Preventive
    Enable role-based access control for objects and users on information systems. CC ID 12458 Technical security Preventive
    Enforce access restrictions for change control. CC ID 01428 Technical security Preventive
    Permit a limited set of user actions absent identification and authentication. CC ID 04849 Technical security Preventive
    Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 Technical security Preventive
    Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 Technical security Preventive
    Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 Technical security Preventive
    Manage the use of encryption controls and cryptographic controls. CC ID 00570 Technical security Preventive
    Use strong data encryption to transmit restricted data or restricted information over public networks. CC ID 00564 Technical security Preventive
    Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416
    [Where the Originator has stated that the Data Message is conditional on receipt of the acknowledgment, the Data Message is treated as though it had never been sent until the acknowledgment is received Article (14)(3)]
    Technical security Preventive
    Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682
    [A Signatory shall: not unlawfully use its Signature Creation Device; Article (19) One:(1)]
    Physical and environmental protection Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Operational management Preventive
    Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964
    [Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: was affixed by that person with the intention of signing or approving the Data Message attributed to him Article(10)(3)(c)
    Absent contrary statutory provision, a person may use any form of Electronic authentication Article (8)(2)
    Notwithstanding subsections (2) and (3) above: Where parties agree, as between themselves, to the use of certain types of Electronic Signatures or Electronic Attestation Certificates, that agreement shall be recognized as sufficient for the purpose of cross-border recognition between the various jurisdictions of states, unless that agreement would not be valid or effective under applicable law of the UAE Article (23)(6)(b)]
    Records management Preventive
    Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 Records management Preventive
  • Testing
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 Technical security Detective
    Implement non-repudiation for transactions. CC ID 00567 Technical security Detective
    Test the operation of the digital forensic equipment prior to use. CC ID 08694 Operational management Detective
    Maintain continued integrity for all stored data and stored records. CC ID 00969
    [{not be altered} Absent proof to the contrary, it shall be presumed that a Secure Electronic Record: remained unaltered since creation; and Article (10)(4)(a)
    Absent proof to the contrary, it shall be presumed that a Secure Electronic Record: is reliable Article (10)(4)(b)
    If a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved has been properly applied to an Electronic Record to verify that the Electronic Record has not been altered since a specified point in time, such record shall be treated as a Secure Electronic Record from such specified point in time to the time of verification Article (16)(1)]
    Records management Detective
    Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 Third Party and supply chain oversight Detective
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087
    [Electronic Attestation Certificates issued by a foreign Certification Service Provider are recognized as legally equivalent to Certificates issued by Certification Service Providers operating under this Law, if the practices of the foreign Certification Service Provider provide a level of reliability at least equivalent to that required of Certification Service Providers operating in accordance with this Law, as provided under Article (21), and taking into consideration recognized international standards Article (23)(2)]
    Third Party and supply chain oversight Detective
Common Controls and
mandates by Classification
55 Mandated Controls - bold    
65 Implied Controls - italic     119 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
239 Total
  • Corrective
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Technical security Communicate
    Contain the incident to prevent further loss and preserve the system for forensic analysis. CC ID 01751 Operational management Process or Activity
    Provide and display problem management contact information to customers. CC ID 06386
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: whether means exist for the Signatory to give notice pursuant to this Law; Article (21) One:(c)(6)]
    Operational management Establish/Maintain Documentation
    Conduct forensic investigations in the event of a security compromise. CC ID 11951 Operational management Investigate
    Collect evidence from the incident scene. CC ID 02236 Operational management Business Processes
  • Detective
    48
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Validate the issuer in the authentication assertion. CC ID 13878
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: the identity of the olor:#F0BBBC;" class="term_primary-noun">Certification Service Provider; Article (21) One:(c)(1)]
    Technical security Technical Security
    Validate the timestamp in the authentication assertion. CC ID 13875
    [An Electronic Attestation Certificate shall state: that the Signature Creation Device was effective at or before the date when the certificate was issued; Article (21) Three:(c)]
    Technical security Technical Security
    Validate the digital signature in the authentication assertion. CC ID 13869
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate had taken appropriate steps to determine the reliability of the Electronic Signature or the Electronic Attestation Certificate; Article (18)(3)(c)
    {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: linked to the Electronic Record to which it relates in a manner which provides reliable n">assurance as to the <span style="background-color:#F0BBBC;" class="term_primary-noun">integrity of the signature such that if the record was changed the Electronic Signature would be d-color:#CBD0E5;" class="term_secondary-verb">invalidated Article (17)(1)(d)
    {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: was, at the time of signing, under the sole 7D8ED;" class="term_primary-verb">control of the Signatory in terms of the creation data and the means used; and Article (17)(1)(c)
    {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: capable of >identifying such person; Article (17)(1)(b)]
    Technical security Technical Security
    Validate the signature validation element in the authentication assertion. CC ID 13867
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature had taken appropriate steps to ascertain whether the Electronic Signature was supported or was reasonably expected to have been supported by an Electronic Attestation Certificate; Article (18)(3)(d)
    {electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to whether the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate knew or ought to have known that the Electronic Signature or the Electronic Attestation Certificate had been compromised or revoked; Article (18)(3)(e)]
    Technical security Technical Security
    Validate the audience restriction element in the authentication assertion. CC ID 13866 Technical security Technical Security
    Disallow application IDs from running as privileged users. CC ID 10050 Technical security Configuration
    Perform a risk assessment prior to activating third party access to the organization's critical systems. CC ID 06455 Technical security Testing
    Implement non-repudiation for transactions. CC ID 00567 Technical security Testing
    Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 Physical and environmental protection Monitor and Evaluate Occurrences
    Monitor the location of distributed assets. CC ID 11684
    [{disregard} In determining whether an Electronic Attestation Certificate or an Electronic Signature is legally effective, no regard shall be had to the place where the Certificate or the Electronic Signature was issued, nor to the jurisdiction in which the issuer of the Electronic Attestation Certificate or Signature had its place of business Article (23)(1)]
    Physical and environmental protection Monitor and Evaluate Occurrences
    Establish, implement, and maintain a critical resource list. CC ID 00740 Operational and Systems Continuity Establish/Maintain Documentation
    Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674
    [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the source of information, if identifiable; Article (10)(2)(c)
    In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which the Originator was identified; Article (10)(2)(d)]
    Operational management Establish/Maintain Documentation
    Protect devices containing digital forensic evidence during transport. CC ID 08687 Operational management Investigate
    Protect devices containing digital forensic evidence in sealed containers. CC ID 08685 Operational management Investigate
    Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence. CC ID 08686 Operational management Establish/Maintain Documentation
    Contact affected parties to participate in forensic investigations, as necessary. CC ID 12343 Operational management Communicate
    Prepare digital forensic equipment. CC ID 08688 Operational management Investigate
    Use digital forensic equipment suitable to the circumstances. CC ID 08690 Operational management Investigate
    Provide relevant user manuals for digital forensic equipment during use. CC ID 08691 Operational management Investigate
    Include the hardware configuration and software configuration of the digital forensic equipment in the forensic investigation report. CC ID 08693 Operational management Establish/Maintain Documentation
    Test the operation of the digital forensic equipment prior to use. CC ID 08694 Operational management Testing
    Maintain digital forensic equipment for proper performance. CC ID 08689 Operational management Investigate
    Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report. CC ID 08679 Operational management Establish/Maintain Documentation
    Include the configuration settings of devices associated with digital forensic evidence in the forensic investigation report. CC ID 08676 Operational management Establish/Maintain Documentation
    Include the external connections to systems containing digital forensic evidence in the forensic investigation report. CC ID 08680 Operational management Establish/Maintain Documentation
    Include the electronic media storage devices containing digital forensic evidence in the forensic investigation report. CC ID 08695 Operational management Establish/Maintain Documentation
    Include all system components of systems containing digital forensic evidence in the forensic investigation report. CC ID 08696 Operational management Establish/Maintain Documentation
    Refrain from altering the state of compromised systems when collecting digital forensic evidence. CC ID 08671 Operational management Investigate
    Follow all applicable laws and principles when collecting digital forensic evidence. CC ID 08672 Operational management Investigate
    Remove everyone except interested personnel and affected parties from the proximity of digital forensic evidence. CC ID 08675 Operational management Investigate
    Secure devices containing digital forensic evidence. CC ID 08681 Operational management Investigate
    Use a write blocker to prevent digital forensic evidence from being modified. CC ID 08692 Operational management Investigate
    Capture volatile information from devices containing digital forensic evidence prior to shutdown. CC ID 08684 Operational management Investigate
    Create a system image of the device before collecting digital forensic evidence. CC ID 08673 Operational management Investigate
    Shut down stand alone devices containing digital forensic evidence. CC ID 08682 Operational management Investigate
    Disconnect electronic media storage devices of systems containing digital forensic evidence. CC ID 08697 Operational management Investigate
    Place evidence tape over devices containing digital forensic evidence. CC ID 08683 Operational management Investigate
    Establish, implement, and maintain data accuracy controls. CC ID 00921
    [A Certification Service Provider shall: exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the Electronic Attestation Certificate throughout its life cycle or that are included in the certificate; Article (21) One:(b)
    A Signatory shall: where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle Article {19) One:(4)]
    Records management Monitor and Evaluate Occurrences
    Compare each record's data input to its final form. CC ID 11813 Records management Records Management
    Define each system's preservation requirements for records and logs. CC ID 00904 Records management Establish/Maintain Documentation
    Establish, implement, and maintain a data retention program. CC ID 00906 Records management Establish/Maintain Documentation
    Maintain continued integrity for all stored data and stored records. CC ID 00969
    [{not be altered} Absent proof to the contrary, it shall be presumed that a Secure Electronic Record: remained unaltered since creation; and Article (10)(4)(a)
    Absent proof to the contrary, it shall be presumed that a Secure Electronic Record: is reliable Article (10)(4)(b)
    If a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved has been properly applied to an Electronic Record to verify that the Electronic Record has not been altered since a specified point in time, such record shall be treated as a Secure Electronic Record from such specified point in time to the time of verification Article (16)(1)]
    Records management Testing
    Capture the records required by organizational compliance requirements. CC ID 00912 Records management Records Management
    Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 Third Party and supply chain oversight Process or Activity
    Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 Third Party and supply chain oversight Testing
    Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087
    [Electronic Attestation Certificates issued by a foreign Certification Service Provider are recognized as legally equivalent to Certificates issued by Certification Service Providers operating under this Law, if the practices of the foreign Certification Service Provider provide a level of reliability at least equivalent to that required of Certification Service Providers operating in accordance with this Law, as provided under Article (21), and taking into consideration recognized international standards Article (23)(2)]
    Third Party and supply chain oversight Testing
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Process or Activity
    Request attestation of compliance from third parties. CC ID 12067 Third Party and supply chain oversight Establish/Maintain Documentation
  • IT Impact Zone
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Preventive
    177
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish, implement, and maintain communication protocols. CC ID 12245 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406
    [A Signatory shall: without undue delay, notify concerned persons if: the Signatory becomes aware that the security of its Signature Creation Device has been compromised; Article (19) One:(3)(a)
    A Signatory shall: without undue delay, notify concerned persons if: the circumstances known to the Signatory give rise to a substantial risk that the security of the Signature Creation Device may have been compromised; and Article (19) One:(3)(b)]
    Leadership and high level objectives Establish/Maintain Documentation
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Leadership and high level objectives Monitor and Evaluate Occurrences
    Establish, implement, and maintain a digital identity management program. CC ID 13713 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain digital identification procedures. CC ID 13714 Technical security Establish/Maintain Documentation
    Implement digital identification processes. CC ID 13731 Technical security Process or Activity
    Implement identity proofing processes. CC ID 13719 Technical security Process or Activity
    Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787
    [As between the Originator and the Addressee, a Data Message is deemed to be that of the Originator if it was sent: by a person who had the authority to act on behalf of the Originator in respect of the Data Message; Article (13)(2)(a)]
    Technical security Process or Activity
    Implement federated identity systems, as necessary. CC ID 13837 Technical security Technical Security
    Authenticate all systems in a federated identity system. CC ID 13835 Technical security Technical Security
    Send and receive authentication assertions, as necessary. CC ID 13839
    [A person may rely on an Electronic Signature or Electronic Attestation Certificate to the extent that such reliance rm_secondary-verb">is reasonable Article (18)(1)
    Where the Originator has not agreed with the Addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given by: any conduct of the addressee, sufficient to y-verb">or:#B7D8ED;" class="term_primary-verb">indicate to the Originator that the pan style="background-color:#F0BBBC;" class="term_primary-noun">Data Message has been received Article (14)(2)(b)]
    Technical security Technical Security
    Make the assertion reference for authentication assertions single-use. CC ID 13843 Technical security Technical Security
    Limit the lifetime of the assertion reference. CC ID 13874 Technical security Technical Security
    Refrain from using authentication assertions that have expired. CC ID 13872 Technical security Technical Security
    Include the issuer identifier in the authentication assertion. CC ID 13865 Technical security Technical Security
    Include attribute metadata in the authentication assertion. CC ID 13856 Technical security Technical Security
    Include the authentication time in the authentication assertion. CC ID 13855 Technical security Technical Security
    Validate each element within the authentication assertion. CC ID 13853
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to the nature of the underlying transaction that Electronic Signature was intended to support; Article (18)(3)(a)
    Where the acknowledgment received by the Originator states that the related Data Message met technical requirements, either agreed upon or set forth in applicable standards, it is mary-verb">presumed, unless evidence to the contrary is adduced, that those requirements have been term_secondary-verb">#B7D8ED;" class="term_primary-verb">met Article (14)(6)
    Where the Originator has not agreed with the Addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given byy-verb">: any n style="background-color:#F0BBBC;" class="term_primary-noun">communication by the n style="background-color:#F0BBBC;" class="term_primary-noun">Addressee, electronic, automated or otherwise; or Article (14)(2)(a)]
    Technical security Technical Security
    Include the subject in the authentication assertion. CC ID 13852 Technical security Technical Security
    Include the target audience in the authentication assertion. CC ID 13851 Technical security Technical Security
    Include audience restrictions in the authentication assertion. CC ID 13870 Technical security Technical Security
    Include the issue date in the authentication assertion. CC ID 13850 Technical security Technical Security
    Include the expiration date in the authentication assertion. CC ID 13849 Technical security Technical Security
    Include identifiers in the authentication assertion. CC ID 13848 Technical security Technical Security
    Include digital signatures in the authentication assertion. CC ID 13847 Technical security Technical Security
    Include key binding in the authentication assertion. CC ID 13846
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: that the person identified in the Electronic Attestation Certificate rm_primary-verb">holds, at the relevant time, the Signature Creation Device referred to in the certificate; Article (21) One:(c)(2)]
    Technical security Technical Security
    Include attribute references in the authentication assertion. CC ID 13845
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to any agreement or course of dealing which the Originator has with the Relying Party in respect of the Electronic Signature or the Electronic Attestation Certificate, or any trade usage or practice which may be applicable; Article (18)(3)(f)
    {electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to any other relevant factor Article (18)(3)(g)]
    Technical security Technical Security
    Include attribute values in the authentication assertion. CC ID 13844
    [{electronic attestation certificate} In determining whether it was reasonable for a person to have relied on an Electronic Signature or Certificate, regard shall be had, if appropriate, to the value or importance of the underlying transaction, if this known to the party relying on the Electronic Signature; Article (18)(3)(b)]
    Technical security Technical Security
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Technical security Establish/Maintain Documentation
    Control access rights to organizational assets. CC ID 00004
    [A Signatory shall: exercise reasonable care to avoid the unauthorized use of its Signature Creation Device; Article (19) One:(2)]
    Technical security Technical Security
    Add all devices requiring access control to the Access Control List. CC ID 06264 Technical security Establish/Maintain Documentation
    Generate but refrain from storing passwords or Personal Identification Numbers for systems involved in high risk activities. CC ID 06835 Technical security Technical Security
    Define roles for information systems. CC ID 12454 Technical security Human Resources Management
    Define access needs for each role assigned to an information system. CC ID 12455 Technical security Human Resources Management
    Define access needs for each system component of an information system. CC ID 12456 Technical security Technical Security
    Define the level of privilege required for each system component of an information system. CC ID 12457 Technical security Technical Security
    Establish access rights based on least privilege. CC ID 01411 Technical security Technical Security
    Assign user permissions based on job responsibilities. CC ID 00538 Technical security Technical Security
    Assign user privileges after they have management sign off. CC ID 00542 Technical security Technical Security
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Technical security Configuration
    Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 Technical security Technical Security
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Technical security Configuration
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical security Technical Security
    Establish, implement, and maintain session lock capabilities. CC ID 01417 Technical security Configuration
    Limit concurrent sessions according to account type. CC ID 01416 Technical security Configuration
    Establish session authenticity through Transport Layer Security. CC ID 01627 Technical security Technical Security
    Configure the "tlsverify" argument to organizational standards. CC ID 14460 Technical security Configuration
    Configure the "tlscacert" argument to organizational standards. CC ID 14521 Technical security Configuration
    Configure the "tlscert" argument to organizational standards. CC ID 14520 Technical security Configuration
    Configure the "tlskey" argument to organizational standards. CC ID 14519 Technical security Configuration
    Enable access control for objects and users on each system. CC ID 04553 Technical security Configuration
    Include all system components in the access control system. CC ID 11939 Technical security Technical Security
    Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 Technical security Process or Activity
    Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 Technical security Technical Security
    Enable role-based access control for objects and users on information systems. CC ID 12458 Technical security Technical Security
    Include the objects and users subject to access control in the security policy. CC ID 11836 Technical security Establish/Maintain Documentation
    Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 Technical security Establish Roles
    Enforce access restrictions for change control. CC ID 01428 Technical security Technical Security
    Enforce access restrictions for restricted data. CC ID 01921 Technical security Data and Information Management
    Permit a limited set of user actions absent identification and authentication. CC ID 04849 Technical security Technical Security
    Activate third party maintenance accounts and user identifiers, as necessary. CC ID 04262 Technical security Technical Security
    Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 Technical security Establish/Maintain Documentation
    Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 Technical security Establish/Maintain Documentation
    Display a logon banner and appropriate logon message before granting access to the system. CC ID 06770 Technical security Technical Security
    Display previous logon information in the logon banner. CC ID 01415 Technical security Configuration
    Document actions that can be performed on an information system absent identification and authentication of the user. CC ID 06771 Technical security Establish/Maintain Documentation
    Use automatic equipment identification as a method of connection authentication absent an individual's identification and authentication. CC ID 06964 Technical security Technical Security
    Establish, implement, and maintain a system and information integrity policy. CC ID 14034 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain system and information integrity procedures. CC ID 14051
    [A Certification Service Provider shall: utilize trustworthy systems, procedures and human resources in performing its services; Article (21) One:(e)]
    Technical security Establish/Maintain Documentation
    Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 Technical security Communicate
    Manage the use of encryption controls and cryptographic controls. CC ID 00570 Technical security Technical Security
    Establish, implement, and maintain digital signatures. CC ID 13828 Technical security Data and Information Management
    Include the issuer in digital signatures. CC ID 13831
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: the method used to identify the Signatory; Article (21) One:(c)(3)
    An Electronic Attestation Certificate shall state: the identity of the Certification Service Provider; Article (21) Three:(a)]
    Technical security Data and Information Management
    Use strong data encryption to transmit restricted data or restricted information over public networks. CC ID 00564 Technical security Technical Security
    Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416
    [Where the Originator has stated that the Data Message is conditional on receipt of the acknowledgment, the Data Message is treated as though it had never been sent until the acknowledgment is received Article (14)(3)]
    Technical security Technical Security
    Establish, implement, and maintain a physical security program. CC ID 11757 Physical and environmental protection Establish/Maintain Documentation
    Protect assets from tampering or unapproved substitution. CC ID 11902
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: that the Signature Creation Device is valid and has not been compromised; Article (21) One:(c)(5)]
    Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 Physical and environmental protection Physical and Environmental Protection
    Protect distributed assets against theft. CC ID 06799 Physical and environmental protection Physical and Environmental Protection
    Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682
    [A Signatory shall: not unlawfully use its Signature Creation Device; Article (19) One:(1)]
    Physical and environmental protection Technical Security
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735 Operational and Systems Continuity Establish/Maintain Documentation
    Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741
    [A Certification Service Provider shall: provide a means for Signatories to give notice that the Signature Creation Device has been compromised and ensure the availability of a timely signature revocation service; Article (21) One:(d)]
    Operational and Systems Continuity Establish/Maintain Documentation
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an information security program. CC ID 00812 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Operational management Establish/Maintain Documentation
    Include asset use policies in the Acceptable Use Policy. CC ID 01355
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: any limitation on the purpose or value for which the Signature Creation Device may be used; Article (21) One:(c)(4)
    An Electronic Attestation Certificate shall state: any limitations on the purposes or value for which the Signature Creation Device or the Electronic Attestation Certificate may be used; Article (21) Three:(d)]
    Operational management Establish/Maintain Documentation
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Establish/Maintain Documentation
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Establish/Maintain Documentation
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Operational management Technical Security
    Include prohibiting, copying, or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Operational management Establish/Maintain Documentation
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Data and Information Management
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Operational management Establish/Maintain Documentation
    Identify the sender in all electronic messages. CC ID 13996
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: such information, if any, is retained as enables the identification of the origin and destination of the Data Message and the date and time when it was sent or received Article (5)(1)(c)]
    Operational management Data and Information Management
    Establish, implement, and maintain a use of information agreement. CC ID 06215 Operational management Establish/Maintain Documentation
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130
    [{not been received} Where the Originator has asked for an acknowledgement but has not stated that the Data Message is conditional on receipt of the acknowledgment within the time specified or agreed, or if no time has been specified or agreed within a reasonable time, the Originator: may give notice to the Addressee stating that no acknowledgment has been received and specifying a reasonable time by which the acknowledgment must be received; and Article (14)(4)(a)]
    Operational management Establish/Maintain Documentation
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418
    [Where the Originator has asked for an acknowledgement but has not stated that the Data Message is conditional on receipt of the acknowledgment within the time specified or agreed, or if no time has been specified or agreed within a reasonable time, the Originator: if the acknowledgement is not received within the time specified in para (a) of this subsection, may treat the Data Message as though it has never been sent, or exercise any other rights it may have Article (14)(4)(b)]
    Operational management Establish/Maintain Documentation
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Business Processes
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [A Certification Service Provider shall: act in accordance with representations made by it with respect to its policies and practices; Article (21) One:(a)]
    Operational management Establish/Maintain Documentation
    Include continuity plans in the Service Management program. CC ID 13919
    [A Certification Service Provider shall: provide a means for Signatories to give notice that the Signature Creation Device has been compromised and ensure the availability of a timely signature revocation service; Article (21) One:(d)]
    Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Asset Management program. CC ID 06630 Operational management Business Processes
    Assign an information owner to organizational assets, as necessary. CC ID 12729
    [An Electronic Attestation Certificate shall state: that the person identified in the Electronic Attestation Certificate holds, at the relevant time, the Signature Creation Device referred to in the certificate; Article (21) Three:(b)]
    Operational management Human Resources Management
    Establish, implement, and maintain a customer service program. CC ID 00846 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Incident Management program. CC ID 00853 Operational management Business Processes
    Include intrusion detection procedures in the Incident Management program. CC ID 00588 Operational management Establish/Maintain Documentation
    Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Incident Response program. CC ID 00579 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a digital forensic evidence framework. CC ID 08652
    [In assessing the evidential weight of Electronic Information, regard shall be given to: any other factor that may be relevant Article (10)(2)(e)]
    Operational management Establish/Maintain Documentation
    Retain collected evidence for potential future legal actions. CC ID 01235 Operational management Records Management
    Define the business scenarios that require digital forensic evidence. CC ID 08653 Operational management Establish/Maintain Documentation
    Define the circumstances for collecting digital forensic evidence. CC ID 08657 Operational management Establish/Maintain Documentation
    Identify potential sources of digital forensic evidence. CC ID 08651
    [{refrain from preventing} In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to prevent the admission of a Data Message or Electronic Signature in evidence: if it is the best evidence that the person adducing it could reasonably be expected to obtain, on the grounds that the message or signature is not original or in its original form Article (10)(1)(b)]
    Operational management Investigate
    Document the legal requirements for evidence collection. CC ID 08654 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a digital forensic evidence collection program. CC ID 08655 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain secure storage and handling of evidence procedures. CC ID 08656 Operational management Records Management
    Perform automated processes according to business requirements. CC ID 14325
    [As between the Originator and the Addressee, a Data Message is deemed to be that of the Originator if it was sent: by an Automated Information System programmed by or on behalf of the Originator to operate automatically Article (13)(2)(b)]
    Operational management Business Processes
    Conduct transactions, as necessary. CC ID 14378 Operational management Business Processes
    Implement data content requirements and data condition requirements for all transactions. CC ID 14410 Operational management Business Processes
    Keep code sets open until resolved. CC ID 14409 Operational management Business Processes
    Refrain from using incentives to conduct transactions. CC ID 14408 Operational management Business Processes
    Refrain from charging fees to conduct transactions. CC ID 14415 Operational management Business Processes
    Refrain from rejecting standard transactions. CC ID 14406 Operational management Business Processes
    Refrain from rejecting transactions containing extra data. CC ID 14407 Operational management Business Processes
    Translate standard transactions, as necessary. CC ID 14405 Operational management Business Processes
    Translate nonstandard transactions, as necessary. CC ID 14404 Operational management Business Processes
    Process transactions, as necessary. CC ID 14403 Operational management Business Processes
    Establish, implement, and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Establish/Maintain Documentation
    Disable or configure the e-mail server, as necessary. CC ID 06563 System hardening through configuration management Configuration
    Configure e-mail servers to enable receiver-side verification. CC ID 12223
    [Where the Originator receives the Addressee's acknowledgment of receipt, it is presumed, unless evidence to the contrary is adduced, that the related Data Message was received by the Addressee, but that presumption does not imply that the content of the Data Message sent by the Originator corresponds to the content of the message received from the Addressee Article (14)(5)]
    System hardening through configuration management Configuration
    Establish, implement, and maintain records management policies. CC ID 00903 Records management Establish/Maintain Documentation
    Establish, implement, and maintain a record classification scheme. CC ID 00914 Records management Establish/Maintain Documentation
    Establish and maintain Records Management procedures. CC ID 00919 Records management Establish/Maintain Documentation
    Establish, implement, and maintain data completeness controls. CC ID 11649
    [A Certification Service Provider shall: exercise reasonable care to ensure the accuracy and completeness of all material representations made by it that are relevant to the Electronic Attestation Certificate throughout its life cycle or that are included in the certificate; Article (21) One:(b)
    A Signatory shall: where an Electronic Attestation Certificate is used to support a Signature Creation Device, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the Signatory which are relevant to the Electronic Attestation Certificate throughout its life cycle Article {19) One:(4)]
    Records management Process or Activity
    Establish, implement, and maintain data processing integrity controls. CC ID 00923
    [Where a rule of law requires a Data Message to be presented or retained in its original form, or provides for certain consequences if not so presented or retained, that requirement is met by a Data Message if: there exists reliable assurance as to the integrity of the information contained in the Data Message from the time when it was first generated in its final form, as an Electronic Document or Record. The criteria for assessing integrity shall be whether the information has remained complete and unaltered, apart from the addition of any endorsement and any change which arises in the normal course of communication, storage and display; and Article (9)(1)]
    Records management Establish Roles
    Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 Records management Data and Information Management
    Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 Records management Establish/Maintain Documentation
    Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 Records management Establish/Maintain Documentation
    Establish, implement, and maintain output distribution procedures. CC ID 00927
    [Where a rule of law requires a Data Message to be presented or retained in its original form, or provides for certain consequences if not so presented or retained, that requirement is met by a Data Message if: if the message allows, when required, the display of the information sought to be presented Article (9)(2)]
    Records management Establish/Maintain Documentation
    Include printed output in output distribution procedures. CC ID 13477 Records management Establish/Maintain Documentation
    Establish, implement, and maintain electronic signature requirements. CC ID 06219
    [Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: is reliable; Article (10)(3)(a)
    Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: is the signature of the person to whom it correlates; and Article (10)(3)(b)
    {be unique} {electronic signature} A signature shall be treated as a Secure Electronic Signature if, through the application of a prescribed Secure Authentication Procedure or a commercially reasonable Secure Authentication Procedure agreed to by the parties involved, it can be verified that an Electronic Signature was, at the time it was made: unique to the person using it; Article (17)(1)(a)
    Signatures complying with the requirements of laws of another state may be recognized as legally equivalent to signatures under this Law if the laws of the other state require a level of reliability at least equivalent to that required for such signatures under this Law Article (23)(3)]
    Records management Establish/Maintain Documentation
    Implement a signature revocation service. CC ID 14417
    [A Certification Service Provider shall: provide reasonably accessible means which enable a Relying Party to ascertain: whether a timely signature revocation service is offered; Article (21) One:(c)(7)]
    Records management Business Processes
    Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807
    [Where a rule of law requires a signature on a document, or provides for certain consequences in the absence of a signature, that rule is satisfied if the document contains a reliable Electronic Signature within the meaning of Article (18) of this Law Article (8)(1)
    {is not unenforceable} A contract is not invalid or unenforceable solely by reason that Electronic Communication was used in its formation Article (11)(2)]
    Records management Records Management
    Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964
    [Absent proof to the contrary, it shall be presumed that a Secure Electronic Signature: was affixed by that person with the intention of signing or approving the Data Message attributed to him Article(10)(3)(c)
    Absent contrary statutory provision, a person may use any form of Electronic authentication Article (8)(2)
    Notwithstanding subsections (2) and (3) above: Where parties agree, as between themselves, to the use of certain types of Electronic Signatures or Electronic Attestation Certificates, that agreement shall be recognized as sufficient for the purpose of cross-border recognition between the various jurisdictions of states, unless that agreement would not be valid or effective under applicable law of the UAE Article (23)(6)(b)]
    Records management Technical Security
    Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 Records management Technical Security
    Determine how long to keep records and logs before disposing them. CC ID 11661 Records management Process or Activity
    Retain records in accordance with applicable requirements. CC ID 00968
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: Article (5)(1)
    An obligation to retain documents, records or information in accordance with paragraph (c) of subsection (1) does not extend to any information necessarily or automatically generated solely for the purpose of enabling a message to be sent or received Article (5)(2)]
    Records management Records Management
    Establish, implement, and maintain records management procedures. CC ID 11619 Records management Establish/Maintain Documentation
    Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: the Electronic Record is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to represent accurately the information generated, sent or received; Article (5)(1)(a)
    If a rule of law requires a statement, document, record, transaction or evidence to be in writing or provides for certain consequences if it is not, an Electronic Document or Record satisfies the requirement if the provisions of subsection (1) of Article (5) of this Law are complied with Article (7)]
    Records management Records Management
    Process restricted information in a secure environment. CC ID 13058 Records management Process or Activity
    Refrain from creating printed records as copies of electronic records. CC ID 11808 Records management Records Management
    Log records as being received into the recordkeeping system. CC ID 11696 Records management Records Management
    Log the date and time each item is received into the recordkeeping system. CC ID 11709
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: such information, if any, is retained as enables the identification of the origin and destination of the Data Message and the date and time when it was sent or received Article (5)(1)(c)]
    Records management Log Management
    Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 Records management Establish/Maintain Documentation
    Establish and maintain access controls for all records. CC ID 00371
    [Where the law requires that certain documents, records or information be retained for any reason, that requirement is met by retaining Electronic Records, provided that the following conditions are satisfied: the information contained therein is accessible so as to be usable for subsequent reference; and Article (5)(1)(b)]
    Records management Records Management
    Establish, implement, and maintain an e-discovery program. CC ID 00976 Records management Establish/Maintain Documentation
    Establish, implement, and maintain legal hold procedures for data and records. CC ID 06810
    [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which the integrity of the information was maintained; Article (10)(2)(b)]
    Records management Records Management
    Document the evidential weight of the information and the information processing assets. CC ID 00624
    [In assessing the evidential weight of Electronic Information, regard shall be given to: the reliability of the manner in which one or more of the operations of executing, entering, generating, processing, storing, presenting or communicating was performed; Article (10)(2)(a)]
    Records management Establish/Maintain Documentation
    Tailor the e-discovery search methodology to evolve with e-discovery rules. CC ID 00625 Records management Records Management
    Use precedent from the context of paper discovery in the context of e-discovery. CC ID 00626
    [{refrain from preventing} In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to prevent the admission of a Data Message or Electronic Signature in evidence: on the grounds that the message or signature is in Electronic format; or Article (10)(1)(a)]
    Records management Records Management
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Establish/Maintain Documentation
    Develop remedies and sanctions for privacy policy violations. CC ID 00474 Privacy protection for information and data Data and Information Management
    Define the organization's liability based on the applicable law. CC ID 00504
    [A Signatory shall bear the legal consequences of its failure to satisfy the requirements of Section One of this Article Article (19) Two:
    {electronic attestation certificate} Where an Electronic Signature is supported by a certificate, the Relying Party in respect of such signature shall bear the legal consequences of its failure to take reasonable and necessary steps to verify the validity and enforceability of the certificate, as to whether it is suspended or revoked, and of observing any limitations with respect to the certificate Article (18)(2)
    {not required} Nothing in this Law shall require any person or employee to use or accept information in Electronic format, but a person's consent to do so may be inferred from his affirmative conduct Article (6)(1)]
    Privacy protection for information and data Establish/Maintain Documentation
    Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a supply chain management program. CC ID 11742 Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796
    [For the purpose of contracting, an offer or the acceptance of an offer may be expressed, in whole or in part, by Electronic Communication Article (11)(1)
    A contract may be formed by the interaction of Automated Electronic Agents that include two or more Electronic Information Systems preset and preprogrammed to carry out these tasks. Such contract would be valid and enforceable even if no individual was directly involved in the conclusion of the contract within such systems Article (12)(1)
    A contract may be formed between an Automated Electronic Information System in the possession of a natural or legal person and another natural person, where the latter knows or has reason to know that the such a system will automatically conclude or perform the contract Article (12)(2)]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Review and update all contracts, as necessary. CC ID 11612 Third Party and supply chain oversight Establish/Maintain Documentation
    Include an indemnification and liability clause in third party contracts. CC ID 06517
    [An Electronic Attestation Certificate shall state: any limitation on the scope or extent of liability which the Certification Service Provider accepts to any person Article (21) Three:(e)]
    Third Party and supply chain oversight Establish/Maintain Documentation
    Establish, implement, and maintain a supply chain management policy. CC ID 08808 Third Party and supply chain oversight Establish/Maintain Documentation
    Use third parties that are compliant with the applicable requirements. CC ID 08818
    [{retain} {electronic records} A person may satisfy the requirement referred to in subsection (1) by using the services of any other person, if the conditions in that subsection are complied with Article (5)(3)]
    Third Party and supply chain oversight Business Processes
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Third Party and supply chain oversight Business Processes
    Require individual attestations of compliance from each location a third party operates in. CC ID 12228
    [Notwithstanding subsections (2) and (3) above: Parties to commercial and other transactions may specify that a particular Certification Service Provider, class of Certification Service Providers or class of certificates must be used in connection with Data Messages or signatures submitted to them Article (23)(6)(a)]
    Third Party and supply chain oversight Business Processes
    Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819
    [A Certification Service Provider shall: be licensed by the Certification Services Controller if operating in the UAE Article (21) One:(f)]
    Third Party and supply chain oversight Business Processes