0003295
India Information Technology Act 2008, 2008
Parliament of India
Bill or Act
Free
India Information Technology Act (ITA -2008)
India Information Technology Act 2008
2008-12-23
The document as a whole was last reviewed and released on 2021-03-08T00:00:00-0800.
0003295
Free
Parliament of India
Bill or Act
India Information Technology Act (ITA -2008)
India Information Technology Act 2008
2008-12-23
The document as a whole was last reviewed and released on 2021-03-08T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within India Information Technology Act 2008, 2008 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for India Information Technology Act 2008, 2008 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and Risk Management | Preventive | |
| Audit policies, standards, and procedures. CC ID 12927 [Where in any law for the time being in force, there is a provision for audit of documents, records or information, that provision shall also be applicable for audit of documents, records or information processed and maintained in electronic form (ITAA 2008, Standing Committee Recommendation) § III.7A ¶ 1] | Audits and Risk Management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain facility maintenance procedures. CC ID 00710 | Establish/Maintain Documentation | Preventive | |
| Inspect and maintain the facility and supporting assets. CC ID 06345 [The appropriate Government may, for the purposes of this Chapter and for efficient delivery of services to the public through electronic means authorize, by order, any service provider to set up, maintain and upgrade the computerized facilities and perform such other services as it may specify, by notification in the Official Gazette. § III.6A (1)] | Physical and Environmental Protection | Preventive | |
| Test and inspect assets under full load working conditions. CC ID 06356 | Testing | Detective | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a record classification scheme. CC ID 00914 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain electronic signature requirements. CC ID 06219 [The Central Government may, for the purposes of this Act, by rules, prescribe the manner or procedure which facilitates identification of the person affixing the Electronic Signature; § III.10. ¶ 1(c) The Central Government may, for the purposes of this Act, by rules, prescribe any other matter which is necessary to give legal effect to Electronic Signature. § III.10. ¶ 1(e) An electronic signature shall be deemed to be a secure electronic signature if- the signature creation data was stored and affixed in such exclusive manner as may be prescribed § V.15 ¶ 1(ii) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- it fulfills such other conditions which may be prescribed. § II.3A (2)(e) The Central Government may, for the purposes of this Act, by rules, prescribe the manner and format in which the Electronic Signature shall be affixed; § III.10. ¶ 1(b) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- any alteration to the information made after its authentication by electronic signature is detectable; and § II.3A (2)(d) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- any alteration to the electronic signature made after affixing such signature is detectable § II.3A (2)(c) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- the signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or, as the case may be, the authenticator and of no other person; § II.3A (2)(a) An electronic signature shall be deemed to be a secure electronic signature if- the signature creation data, at the time of affixing signature, was under the exclusive control of signatory and no other person; and § V.15 ¶ 1(i) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- the signature creation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and of no other person; § II.3A (2)(b)] | Establish/Maintain Documentation | Preventive | |
| Implement a signature revocation service. CC ID 14417 | Business Processes | Preventive | |
| Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 | Records Management | Preventive | |
| Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 [Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his Digital Signature § II.3.(1) Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document should be signed or bear the signature of any person then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of digital signature affixed in such manner as may be prescribed by the Central Government. § III.5 ¶ 1 The Central Government may, for the purposes of this Act, by rules, prescribe the type of Electronic Signature; § III.10. ¶ 1(a) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which- may be specified in the Second Schedule § II.3A (1)(b) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which- § II.3A (1) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which- is considered reliable ; and § II.3A (1)(a)] | Technical Security | Preventive | |
| Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 | Technical Security | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a data retention program. CC ID 00906 | Establish/Maintain Documentation | Detective | |
| Maintain continued integrity for all stored data and stored records. CC ID 00969 [Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification. § V.14 ¶ 1] | Testing | Detective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, - § III.7 (1)] | Records Management | Preventive | |
| Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 | Establish/Maintain Documentation | Preventive | |
| Include transfer agreements in the secure record transaction standards. CC ID 14821 [Save as otherwise agreed to between the originator and the addressee, the dispatch of an electronic record occurs when it enters a computer resource outside the control of the originator. § IV.13 (1)] | Establish/Maintain Documentation | Preventive | |
| Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823 [Save as otherwise agreed between the originator and the addressee, the time of receipt of an electronic record shall be determined as follows, namely - if the addressee has not designated a computer resource along with specified timings, if any, receipt occurs when the electronic record enters the computer resource of the addressee. § IV.13 (2)(b) Where the originator has not stipulated that the electronic record shall be binding only on receipt of such acknowledgment, and the acknowledgment has not been received by the originator within the time specified or agreed or, if no time has been specified or agreed to within a reasonable time, then the originator may give notice to the addressee stating that no acknowledgment has been received by him and specifying a reasonable time by which the acknowledgment must be received by him and if no acknowledgment is received within the aforesaid time limit he may after giving notice to the addressee, treat the electronic record as though it has never been sent. § IV.12 (3)] | Establish/Maintain Documentation | Preventive | |
| Include receipt of electronic records in the transfer agreement. CC ID 14822 [if the addressee has designated a computer resource for the purpose of receiving electronic records receipt occurs at the time when the electronic record enters the designated computer resource; or § IV.13 (a)(i)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 [{control procedure} The Central Government may, for the purposes of this Act, by rules, prescribe control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records or payments; and § III.10. ¶ 1(d) {Where any law provides for} {then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government} the issue or grant of any license, permit, sanction or approval by whatever name called in a particular manner; § III.6 (1)(b)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain source document authorization tracking. CC ID 01262 | Records Management | Detective | |
| Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 | Business Processes | Detective | |
| Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 | Process or Activity | Detective | |
| Review the electronic storage media for the information the organization collects and processes. CC ID 13009 | Process or Activity | Detective | |
| Remove non-public information from publicly accessible systems. CC ID 14246 | Data and Information Management | Corrective | |
| Establish, implement, and maintain source document error handling tracking. CC ID 01263 | Records Management | Detective | |
| Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 [Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form,- the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; § III.7 (1)(b) Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is rendered or made available in an electronic form; and § III.4 ¶ 1(a) Nothing contained in sections 6, 7 and 8 shall confer a right upon any person to insist that any Ministry or Department of the Central Government or the State Government or any authority or body established by or under any law or controlled or funded by the Central or State Government should accept, issue, create, retain and preserve any document in the form of electronic records or effect any monetary transaction in the electronic form. § III.9 ¶ 1 Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is accessible so as to be usable for a subsequent reference § III.4 ¶ 1(b)] | Records Management | Preventive | |
| Process restricted information in a secure environment. CC ID 13058 | Process or Activity | Preventive | |
| Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records Management | Preventive | |
| Assign ownership for all electronic records. CC ID 14814 [An electronic record shall be attributed to the originator § IV.11 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Monitor and Evaluate Occurrences | Detective | |
| Validate transactions against master files of third parties and clients, as necessary. CC ID 06552 | Records Management | Detective | |
| Attribute electronic records, as necessary. CC ID 14820 [An electronic record shall be attributed to the originator if it was sent by the originator himself; § IV.11 ¶ 1(a) An electronic record shall be attributed to the originator by an information system programmed by or on behalf of the originator to operate automatically. § IV.11 ¶ 1(c) An electronic record shall be attributed to the originator by a person who had the authority to act on behalf of the originator in respect of that electronic record; or § IV.11 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Validate transactions using identifiers and credentials. CC ID 13203 | Technical Security | Preventive | |
| Establish, implement, and maintain a system storage log. CC ID 13532 | Records Management | Preventive | |
| Establish, implement, and maintain a system input log. CC ID 13531 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data accuracy controls. CC ID 00921 | Monitor and Evaluate Occurrences | Detective | |
| Protect records from loss in accordance with applicable requirements. CC ID 12007 | Records Management | Preventive | |
| Establish, implement, and maintain data completeness controls. CC ID 11649 | Process or Activity | Preventive | |
| Capture the records required by organizational compliance requirements. CC ID 00912 | Records Management | Detective | |
| Establish, implement, and maintain authorization records. CC ID 14367 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Establish/Maintain Documentation | Preventive | |
| Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Establish/Maintain Documentation | Preventive | |
| Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Establish/Maintain Documentation | Preventive | |
| Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Data and Information Management | Detective | |
| Establish, implement, and maintain electronic health records. CC ID 14436 | Data and Information Management | Preventive | |
| Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Data and Information Management | Preventive | |
| Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records Management | Preventive | |
| Display required information automatically in electronic health records. CC ID 14442 | Process or Activity | Preventive | |
| Create summary of care records in accordance with applicable standards. CC ID 14440 | Establish/Maintain Documentation | Preventive | |
| Provide the patient with a summary of care record, as necessary. CC ID 14441 | Actionable Reports or Measurements | Preventive | |
| Create export summaries, as necessary. CC ID 14446 | Process or Activity | Preventive | |
| Import data files into a patient's electronic health record. CC ID 14448 | Data and Information Management | Preventive | |
| Export requested sections of the electronic health record. CC ID 14447 | Data and Information Management | Preventive | |
| Identify patient-specific education resources. CC ID 14439 | Process or Activity | Detective | |
| Establish and maintain an implantable device list. CC ID 14444 | Records Management | Preventive | |
| Display the implantable device list to authorized users. CC ID 14445 | Data and Information Management | Preventive | |
| Establish, implement, and maintain decision support interventions. CC ID 14443 | Business Processes | Preventive | |
| Include attributes in the decision support intervention. CC ID 16766 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records Management | Preventive | |
| Log the termination date in the recordkeeping system. CC ID 16181 | Records Management | Preventive | |
| Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records Management | Preventive | |
| Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records Management | Preventive | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records Management | Preventive | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Log Management | Preventive | |
| Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Log Management | Preventive | |
| Log the number of routine items received into the recordkeeping system. CC ID 11701 | Establish/Maintain Documentation | Preventive | |
| Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Log Management | Preventive | |
| Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Log Management | Preventive | |
| Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Log Management | Preventive | |
| Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Log Management | Preventive | |
| Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Log Management | Preventive | |
| Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Log Management | Preventive | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Log Management | Preventive | |
| Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Log Management | Preventive | |
| Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Log Management | Preventive | |
| Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Log Management | Preventive | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 | Log Management | Preventive | |
| Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Log Management | Preventive | |
| Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Log Management | Preventive | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 | Records Management | Preventive | |
| Log any notices filed by the organization into the recordkeeping system. CC ID 11725 [{Where any law provides for} {then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government} the filing of any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government in a particular manner; § III.6 (1)(a)] | Log Management | Preventive | |
| Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Log Management | Preventive | |
| Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Log Management | Preventive | |
| Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Log Management | Preventive | |
| Provide a receipt of records logged into the recordkeeping system. CC ID 11697 [Where the originator has not agreed with stipulated that the acknowledgment of receipt of electronic record be given in a particular form or by a particular method, an acknowledgment may be given by any communication by the addressee, automated or otherwise; or § IV.12 (1)(a) Where the originator has not agreed with stipulated that the acknowledgment of receipt of electronic record be given in a particular form or by a particular method, an acknowledgment may be given by any conduct of the addressee, sufficient to indicate to the originator that the electronic record has been received. § IV.12 (1)(b) if the addressee has designated a computer resource for the purpose of receiving electronic records if the electronic record is sent to a computer resource of the addressee that is not the designated computer resource, receipt occurs at the time when the electronic record is retrieved by the addressee; § IV.13 (2)(a)(ii) {refrain from sending} Where the originator has stipulated that the electronic record shall be binding only on receipt of an acknowledgment of such electronic record by him, then unless acknowledgment has been so received, the electronic record shall be deemed to have been never sent by the originator. § IV.12 (2)] | Records Management | Preventive | |
| Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Log Management | Preventive | |
| Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Log Management | Preventive | |
| Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Log Management | Preventive | |
| Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Data and Information Management | Detective | |
| Establish, implement, and maintain data availability controls. CC ID 15301 | Data and Information Management | Preventive | |
| Include record integrity techniques in the records management procedures. CC ID 06418 | Establish/Maintain Documentation | Preventive | |
| Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records Management | Preventive | |
| Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Establish/Maintain Documentation | Preventive | |
| Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Business Processes | Preventive | |
| Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Business Processes | Preventive | |
| Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 [{is accessible} Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form,- the information contained therein remains accessible so as to be usable for a subsequent reference; § III.7 (1)(a)] | Business Processes | Preventive | |
| Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Business Processes | Preventive | |
| Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records Management | Preventive | |
| Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Business Processes | Preventive | |
| Control error handling when data is being inputted. CC ID 00922 | Data and Information Management | Detective | |
| Establish, implement, and maintain electronic storage media security controls. CC ID 13204 | Technical Security | Preventive | |
| Use automated entry devices to reduce errors during data input. CC ID 06626 | Data and Information Management | Preventive | |
| Establish, implement, and maintain data processing integrity controls. CC ID 00923 | Establish Roles | Preventive | |
| Compare each record's data input to its final form. CC ID 11813 | Records Management | Detective | |
| Sanitize user input in accordance with organizational standards. CC ID 16856 | Process or Activity | Preventive | |
| Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Data and Information Management | Preventive | |
| Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security label procedures. CC ID 06747 | Establish/Maintain Documentation | Preventive | |
| Label restricted storage media appropriately. CC ID 00966 | Data and Information Management | Preventive | |
| Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records Management | Detective | |
| Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Establish/Maintain Documentation | Preventive | |
| Conspicuously locate the restricted record's overall classification. CC ID 01890 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Establish/Maintain Documentation | Preventive | |
| Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Establish/Maintain Documentation | Preventive | |
| Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Data and Information Management | Preventive | |
| Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Technical Security | Preventive | |
| Establish the minimum originator requirements for security labels. CC ID 06579 | Establish/Maintain Documentation | Preventive | |
| Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Establish/Maintain Documentation | Preventive | |
| Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Establish/Maintain Documentation | Preventive | |
| Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain access controls for all records. CC ID 00371 | Records Management | Preventive | |
| Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Data and Information Management | Preventive | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information preservation policy. CC ID 16483 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information preservation procedures. CC ID 06277 | Establish/Maintain Documentation | Preventive | |
| Implement and maintain high availability storage, as necessary. CC ID 00952 | Technical Security | Preventive | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records Management | Preventive | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records Management | Preventive | |
| Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records Management | Preventive | |
| Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Technical Security | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records Management | Preventive | |
| Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Testing | Detective | |
| Provide encryption for different types of electronic storage media. CC ID 00945 | Technical Security | Preventive | |
| Implement electronic storage media integrity controls. CC ID 00946 | Configuration | Preventive | |
| Automate electronic storage media integrity check controls. CC ID 00948 | Configuration | Preventive | |
| Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Configuration | Preventive | |
| Provide audit trails for all pertinent records. CC ID 00372 [Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form,- the details which will facilitate the identification of the origin, destination, date and time of dispatch or receipt of such electronic record are available in the electronic record: § III.7 (1)(c)] | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 | Log Management | Preventive | |
| Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Establish/Maintain Documentation | Preventive | |
| Include the date and time in the removable storage media log. CC ID 12318 | Establish/Maintain Documentation | Preventive | |
| Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Establish/Maintain Documentation | Preventive | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Establish/Maintain Documentation | Preventive | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Establish/Maintain Documentation | Preventive | |
| Include the sender's name in the removable storage media log. CC ID 12752 | Establish/Maintain Documentation | Preventive | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Establish/Maintain Documentation | Preventive | |
| Include the reason for transfer in the removable storage media log. CC ID 12316 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Process or Activity | Preventive | |
| Identify electronic storage media that require downgrading. CC ID 10620 | Process or Activity | Detective | |
| Downgrade electronic storage media, as necessary. CC ID 10621 | Process or Activity | Corrective | |
| Document all actions taken when downgrading electronic storage media. CC ID 10622 | Establish/Maintain Documentation | Preventive | |
| Test the storage media downgrade for correct performance. CC ID 10623 | Testing | Detective | |
| Establish, implement, and maintain output distribution procedures. CC ID 00927 | Establish/Maintain Documentation | Preventive | |
| Include printed output in output distribution procedures. CC ID 13477 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain document retention procedures. CC ID 11660 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain electronic media distribution procedures. CC ID 11650 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain output balancing audit trails. CC ID 00928 | Establish/Maintain Documentation | Detective | |
| Establish and maintain an error suspense file for rejected transactions. CC ID 06623 | Records Management | Preventive | |
| Establish and maintain reconciliation audit trails. CC ID 11647 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data processing output log. CC ID 06624 | Log Management | Preventive | |
| Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930 | Establish/Maintain Documentation | Preventive | |
| Review and approve output exceptions. CC ID 06625 | Records Management | Preventive | |
| Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 | Testing | Detective | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record. § II.3.(2)] | Technical Security | Preventive | |
| Comply with the encryption laws of the local country. CC ID 16377 | Business Processes | Preventive | |
| Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Establish/Maintain Documentation | Preventive | |
| Define the cryptographic boundaries. CC ID 06543 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Establish/Maintain Documentation | Preventive | |
| Implement the documented cryptographic module security functions. CC ID 06755 | Data and Information Management | Preventive | |
| Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Establish/Maintain Documentation | Preventive | |
| Document the operation of the cryptographic module. CC ID 06546 | Establish/Maintain Documentation | Preventive | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical Security | Preventive | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Data and Information Management | Preventive | |
| Include the expiration date in digital signatures. CC ID 13833 | Data and Information Management | Preventive | |
| Include audience restrictions in digital signatures. CC ID 13834 | Data and Information Management | Preventive | |
| Include the subject in digital signatures. CC ID 13832 | Data and Information Management | Preventive | |
| Include the issuer in digital signatures. CC ID 13831 | Data and Information Management | Preventive | |
| Include identifiers in the digital signature. CC ID 13829 | Data and Information Management | Preventive | |
| Generate and protect a secret random number for each digital signature. CC ID 06577 | Establish/Maintain Documentation | Preventive | |
| Establish the security strength requirements for the digital signature process. CC ID 06578 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Establish/Maintain Documentation | Preventive | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Configuration | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Data and Information Management | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Data and Information Management | Preventive | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical Security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Data and Information Management | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Data and Information Management | Preventive | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical Security | Preventive | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Data and Information Management | Preventive | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Process or Activity | Preventive | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Process or Activity | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Communicate | Preventive | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Process or Activity | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Data and Information Management | Preventive | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Communicate | Preventive | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 | Establish/Maintain Documentation | Preventive | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Establish Roles | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Communicate | Preventive | |
| Bind keys to each identity. CC ID 12337 [The private key and the public key are unique to the subscriber and constitute a functioning key pair. § II.3.(4) Any person by the use of a public key of the subscriber can verify the electronic record. § II.3.(3)] | Technical Security | Preventive | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Establish/Maintain Documentation | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Establish/Maintain Documentation | Preventive | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Data and Information Management | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 | Data and Information Management | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 [The private key and the public key are unique to the subscriber and constitute a functioning key pair. § II.3.(4)] | Technical Security | Preventive | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Data and Information Management | Preventive | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical Security | Preventive | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 | Data and Information Management | Preventive | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Data and Information Management | Preventive | |
| Store cryptographic keys securely. CC ID 01298 | Data and Information Management | Preventive | |
| Restrict access to cryptographic keys. CC ID 01297 | Data and Information Management | Preventive | |
| Store cryptographic keys in encrypted format. CC ID 06084 | Data and Information Management | Preventive | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical Security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Establish/Maintain Documentation | Preventive | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Data and Information Management | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Data and Information Management | Preventive | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Data and Information Management | Preventive | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Data and Information Management | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical Security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Data and Information Management | Corrective | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Data and Information Management | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 | Data and Information Management | Preventive | |
| Archive revoked cryptographic keys. CC ID 11819 | Data and Information Management | Preventive | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Establish/Maintain Documentation | Preventive | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Human Resources Management | Preventive | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Testing | Detective | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Data and Information Management | Preventive | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Establish/Maintain Documentation | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Establish Roles | Preventive | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Establish/Maintain Documentation | Preventive | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Establish/Maintain Documentation | Preventive | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Establish/Maintain Documentation | Preventive | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Establish/Maintain Documentation | Preventive | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Establish/Maintain Documentation | Preventive | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical Security | Preventive | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical Security | Preventive | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Establish/Maintain Documentation | Preventive | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Establish/Maintain Documentation | Preventive | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Establish/Maintain Documentation | Preventive | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Establish/Maintain Documentation | Preventive | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical Security | Preventive | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Records Management | Preventive | |
| Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical Security | Preventive | |
| Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical Security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 | Technical Security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Configuration | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical Security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical Security | Preventive | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Establish/Maintain Documentation | Preventive | |
| Implement non-repudiation for transactions. CC ID 00567 | Testing | Detective | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical Security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical Security | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{be enforceable} {electronic means} Where in a contract formation, the communication of proposals, the acceptance of proposals, the revocation of proposals and acceptances, as the case may be, are expressed in electronic form or by means of an electronic record, such contract shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose. § III.10A ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Process or Activity | Preventive | |
| Track all chargeable items in Service Level Agreements. CC ID 11616 [The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section: § III.6A (4) The appropriate Government may also authorize any service provider authorized under sub-section (1) to collect, retain and appropriate service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service. § III.6A (2) Subject to the provisions of sub-section (2), the appropriate Government may authorize the service providers to collect, retain and appropriate service charges under this section notwithstanding the fact that there is no express provision under the Act, rule, regulation or notification under which the service is provided to collect, retain and appropriate e-service charges by the service providers. § III.6A (3)] | Business Processes | Detective | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 [Provided that the appropriate Government may specify different scale of service charges for different types of services. § III.6A (4) ¶ 1 Where any law provides for the receipt or payment of money in a particular manner, then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government. § III.6 (1)(c)] | Establish/Maintain Documentation | Detective | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Preventive | |
| Audit policies, standards, and procedures. CC ID 12927 [Where in any law for the time being in force, there is a provision for audit of documents, records or information, that provision shall also be applicable for audit of documents, records or information processed and maintained in electronic form (ITAA 2008, Standing Committee Recommendation) § III.7A ¶ 1] | Audits and risk management | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Preventive | |
| Implement a signature revocation service. CC ID 14417 | Records management | Preventive | |
| Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 | Records management | Detective | |
| Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Preventive | |
| Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Records management | Preventive | |
| Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Records management | Preventive | |
| Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 [{is accessible} Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form,- the information contained therein remains accessible so as to be usable for a subsequent reference; § III.7 (1)(a)] | Records management | Preventive | |
| Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Records management | Preventive | |
| Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Records management | Preventive | |
| Track all chargeable items in Service Level Agreements. CC ID 11616 [The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section: § III.6A (4) The appropriate Government may also authorize any service provider authorized under sub-section (1) to collect, retain and appropriate service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service. § III.6A (2) Subject to the provisions of sub-section (2), the appropriate Government may authorize the service providers to collect, retain and appropriate service charges under this section notwithstanding the fact that there is no express provision under the Act, rule, regulation or notification under which the service is provided to collect, retain and appropriate e-service charges by the service providers. § III.6A (3)] | Third Party and supply chain oversight | Detective | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Preventive | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Technical security | Preventive | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Preventive | |
| Implement electronic storage media integrity controls. CC ID 00946 | Records management | Preventive | |
| Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Preventive | |
| Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement the documented cryptographic module security functions. CC ID 06755 | Technical security | Preventive | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Preventive | |
| Include the expiration date in digital signatures. CC ID 13833 | Technical security | Preventive | |
| Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Preventive | |
| Include the subject in digital signatures. CC ID 13832 | Technical security | Preventive | |
| Include the issuer in digital signatures. CC ID 13831 | Technical security | Preventive | |
| Include identifiers in the digital signature. CC ID 13829 | Technical security | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Technical security | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Preventive | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 | Technical security | Preventive | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 | Technical security | Preventive | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Preventive | |
| Store cryptographic keys securely. CC ID 01298 | Technical security | Preventive | |
| Restrict access to cryptographic keys. CC ID 01297 | Technical security | Preventive | |
| Store cryptographic keys in encrypted format. CC ID 06084 | Technical security | Preventive | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Technical security | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Preventive | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Technical security | Preventive | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Technical security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Technical security | Corrective | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Technical security | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 | Technical security | Preventive | |
| Archive revoked cryptographic keys. CC ID 11819 | Technical security | Preventive | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Preventive | |
| Remove non-public information from publicly accessible systems. CC ID 14246 | Records management | Corrective | |
| Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Detective | |
| Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Preventive | |
| Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Preventive | |
| Import data files into a patient's electronic health record. CC ID 14448 | Records management | Preventive | |
| Export requested sections of the electronic health record. CC ID 14447 | Records management | Preventive | |
| Display the implantable device list to authorized users. CC ID 14445 | Records management | Preventive | |
| Include attributes in the decision support intervention. CC ID 16766 | Records management | Preventive | |
| Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Detective | |
| Establish, implement, and maintain data availability controls. CC ID 15301 | Records management | Preventive | |
| Control error handling when data is being inputted. CC ID 00922 | Records management | Detective | |
| Use automated entry devices to reduce errors during data input. CC ID 06626 | Records management | Preventive | |
| Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Preventive | |
| Label restricted storage media appropriately. CC ID 00966 | Records management | Preventive | |
| Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Preventive | |
| Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Preventive | |
| Establish, implement, and maintain data processing integrity controls. CC ID 00923 | Records management | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
| Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Technical security | Preventive | |
| Define the cryptographic boundaries. CC ID 06543 | Technical security | Preventive | |
| Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Technical security | Preventive | |
| Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Technical security | Preventive | |
| Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Technical security | Preventive | |
| Document the operation of the cryptographic module. CC ID 06546 | Technical security | Preventive | |
| Generate and protect a secret random number for each digital signature. CC ID 06577 | Technical security | Preventive | |
| Establish the security strength requirements for the digital signature process. CC ID 06578 | Technical security | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Technical security | Preventive | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Preventive | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Technical security | Preventive | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Preventive | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Technical security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Preventive | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Preventive | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Preventive | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Preventive | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Preventive | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Preventive | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Preventive | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Technical security | Preventive | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Technical security | Preventive | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Preventive | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Preventive | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Preventive | |
| Establish, implement, and maintain facility maintenance procedures. CC ID 00710 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Establish, implement, and maintain a record classification scheme. CC ID 00914 | Records management | Preventive | |
| Establish, implement, and maintain electronic signature requirements. CC ID 06219 [The Central Government may, for the purposes of this Act, by rules, prescribe the manner or procedure which facilitates identification of the person affixing the Electronic Signature; § III.10. ¶ 1(c) The Central Government may, for the purposes of this Act, by rules, prescribe any other matter which is necessary to give legal effect to Electronic Signature. § III.10. ¶ 1(e) An electronic signature shall be deemed to be a secure electronic signature if- the signature creation data was stored and affixed in such exclusive manner as may be prescribed § V.15 ¶ 1(ii) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- it fulfills such other conditions which may be prescribed. § II.3A (2)(e) The Central Government may, for the purposes of this Act, by rules, prescribe the manner and format in which the Electronic Signature shall be affixed; § III.10. ¶ 1(b) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- any alteration to the information made after its authentication by electronic signature is detectable; and § II.3A (2)(d) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- any alteration to the electronic signature made after affixing such signature is detectable § II.3A (2)(c) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- the signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or, as the case may be, the authenticator and of no other person; § II.3A (2)(a) An electronic signature shall be deemed to be a secure electronic signature if- the signature creation data, at the time of affixing signature, was under the exclusive control of signatory and no other person; and § V.15 ¶ 1(i) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- the signature creation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and of no other person; § II.3A (2)(b)] | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Detective | |
| Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 | Records management | Preventive | |
| Include transfer agreements in the secure record transaction standards. CC ID 14821 [Save as otherwise agreed to between the originator and the addressee, the dispatch of an electronic record occurs when it enters a computer resource outside the control of the originator. § IV.13 (1)] | Records management | Preventive | |
| Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823 [Save as otherwise agreed between the originator and the addressee, the time of receipt of an electronic record shall be determined as follows, namely - if the addressee has not designated a computer resource along with specified timings, if any, receipt occurs when the electronic record enters the computer resource of the addressee. § IV.13 (2)(b) Where the originator has not stipulated that the electronic record shall be binding only on receipt of such acknowledgment, and the acknowledgment has not been received by the originator within the time specified or agreed or, if no time has been specified or agreed to within a reasonable time, then the originator may give notice to the addressee stating that no acknowledgment has been received by him and specifying a reasonable time by which the acknowledgment must be received by him and if no acknowledgment is received within the aforesaid time limit he may after giving notice to the addressee, treat the electronic record as though it has never been sent. § IV.12 (3)] | Records management | Preventive | |
| Include receipt of electronic records in the transfer agreement. CC ID 14822 [if the addressee has designated a computer resource for the purpose of receiving electronic records receipt occurs at the time when the electronic record enters the designated computer resource; or § IV.13 (a)(i)] | Records management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 [{control procedure} The Central Government may, for the purposes of this Act, by rules, prescribe control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records or payments; and § III.10. ¶ 1(d) {Where any law provides for} {then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government} the issue or grant of any license, permit, sanction or approval by whatever name called in a particular manner; § III.6 (1)(b)] | Records management | Preventive | |
| Assign ownership for all electronic records. CC ID 14814 [An electronic record shall be attributed to the originator § IV.11 ¶ 1] | Records management | Preventive | |
| Attribute electronic records, as necessary. CC ID 14820 [An electronic record shall be attributed to the originator if it was sent by the originator himself; § IV.11 ¶ 1(a) An electronic record shall be attributed to the originator by an information system programmed by or on behalf of the originator to operate automatically. § IV.11 ¶ 1(c) An electronic record shall be attributed to the originator by a person who had the authority to act on behalf of the originator in respect of that electronic record; or § IV.11 ¶ 1(b)] | Records management | Preventive | |
| Establish, implement, and maintain a system input log. CC ID 13531 | Records management | Preventive | |
| Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Preventive | |
| Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Preventive | |
| Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Preventive | |
| Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Preventive | |
| Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Preventive | |
| Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Preventive | |
| Include record integrity techniques in the records management procedures. CC ID 06418 | Records management | Preventive | |
| Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Records management | Preventive | |
| Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Preventive | |
| Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Preventive | |
| Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 | Records management | Preventive | |
| Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Records management | Preventive | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Preventive | |
| Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Preventive | |
| Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Preventive | |
| Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Preventive | |
| Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Preventive | |
| Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Preventive | |
| Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Preventive | |
| Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Preventive | |
| Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Preventive | |
| Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Preventive | |
| Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Preventive | |
| Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Preventive | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Preventive | |
| Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Preventive | |
| Establish, implement, and maintain information preservation procedures. CC ID 06277 | Records management | Preventive | |
| Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Preventive | |
| Provide audit trails for all pertinent records. CC ID 00372 [Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form,- the details which will facilitate the identification of the origin, destination, date and time of dispatch or receipt of such electronic record are available in the electronic record: § III.7 (1)(c)] | Records management | Detective | |
| Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Preventive | |
| Include the date and time in the removable storage media log. CC ID 12318 | Records management | Preventive | |
| Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Preventive | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Preventive | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Preventive | |
| Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Preventive | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Preventive | |
| Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Preventive | |
| Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Preventive | |
| Establish, implement, and maintain output distribution procedures. CC ID 00927 | Records management | Preventive | |
| Include printed output in output distribution procedures. CC ID 13477 | Records management | Preventive | |
| Establish, implement, and maintain document retention procedures. CC ID 11660 | Records management | Preventive | |
| Establish, implement, and maintain electronic media distribution procedures. CC ID 11650 | Records management | Preventive | |
| Establish, implement, and maintain output balancing audit trails. CC ID 00928 | Records management | Detective | |
| Establish and maintain reconciliation audit trails. CC ID 11647 | Records management | Preventive | |
| Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 | Records management | Detective | |
| Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930 | Records management | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{be enforceable} {electronic means} Where in a contract formation, the communication of proposals, the acceptance of proposals, the revocation of proposals and acceptances, as the case may be, are expressed in electronic form or by means of an electronic record, such contract shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose. § III.10A ¶ 1] | Third Party and supply chain oversight | Preventive | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 [Provided that the appropriate Government may specify different scale of service charges for different types of services. § III.6A (4) ¶ 1 Where any law provides for the receipt or payment of money in a particular manner, then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government. § III.6 (1)(c)] | Third Party and supply chain oversight | Detective | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Technical security | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Preventive | |
| Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Preventive | |
| Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Preventive | |
| Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Preventive | |
| Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Preventive | |
| Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Preventive | |
| Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Preventive | |
| Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Preventive | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Preventive | |
| Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Preventive | |
| Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Preventive | |
| Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Preventive | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Preventive | |
| Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Preventive | |
| Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Preventive | |
| Log any notices filed by the organization into the recordkeeping system. CC ID 11725 [{Where any law provides for} {then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government} the filing of any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government in a particular manner; § III.6 (1)(a)] | Records management | Preventive | |
| Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Preventive | |
| Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Preventive | |
| Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Preventive | |
| Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Preventive | |
| Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Preventive | |
| Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Preventive | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 | Records management | Preventive | |
| Establish, implement, and maintain a data processing output log. CC ID 06624 | Records management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Records management | Detective | |
| Establish, implement, and maintain data accuracy controls. CC ID 00921 | Records management | Detective | |
| Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Detective | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an environmental control program. CC ID 00724 | Physical and environmental protection | Preventive | |
| Inspect and maintain the facility and supporting assets. CC ID 06345 [The appropriate Government may, for the purposes of this Chapter and for efficient delivery of services to the public through electronic means authorize, by order, any service provider to set up, maintain and upgrade the computerized facilities and perform such other services as it may specify, by notification in the Official Gazette. § III.6A (1)] | Physical and environmental protection | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Preventive | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Preventive | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Preventive | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive | |
| Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 | Records management | Detective | |
| Review the electronic storage media for the information the organization collects and processes. CC ID 13009 | Records management | Detective | |
| Process restricted information in a secure environment. CC ID 13058 | Records management | Preventive | |
| Establish, implement, and maintain data completeness controls. CC ID 11649 | Records management | Preventive | |
| Display required information automatically in electronic health records. CC ID 14442 | Records management | Preventive | |
| Create export summaries, as necessary. CC ID 14446 | Records management | Preventive | |
| Identify patient-specific education resources. CC ID 14439 | Records management | Detective | |
| Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Preventive | |
| Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Preventive | |
| Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Detective | |
| Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Corrective | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Third Party and supply chain oversight | Preventive | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Preventive | |
| Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 | Records management | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, - § III.7 (1)] | Records management | Preventive | |
| Establish, implement, and maintain source document authorization tracking. CC ID 01262 | Records management | Detective | |
| Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 [Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form,- the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; § III.7 (1)(b) Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is rendered or made available in an electronic form; and § III.4 ¶ 1(a) Nothing contained in sections 6, 7 and 8 shall confer a right upon any person to insist that any Ministry or Department of the Central Government or the State Government or any authority or body established by or under any law or controlled or funded by the Central or State Government should accept, issue, create, retain and preserve any document in the form of electronic records or effect any monetary transaction in the electronic form. § III.9 ¶ 1 Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is accessible so as to be usable for a subsequent reference § III.4 ¶ 1(b)] | Records management | Preventive | |
| Establish, implement, and maintain source document error handling tracking. CC ID 01263 | Records management | Detective | |
| Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records management | Preventive | |
| Validate transactions against master files of third parties and clients, as necessary. CC ID 06552 | Records management | Detective | |
| Establish, implement, and maintain a system storage log. CC ID 13532 | Records management | Preventive | |
| Protect records from loss in accordance with applicable requirements. CC ID 12007 | Records management | Preventive | |
| Capture the records required by organizational compliance requirements. CC ID 00912 | Records management | Detective | |
| Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Preventive | |
| Establish and maintain an implantable device list. CC ID 14444 | Records management | Preventive | |
| Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Preventive | |
| Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Preventive | |
| Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Preventive | |
| Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Preventive | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Preventive | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Preventive | |
| Provide a receipt of records logged into the recordkeeping system. CC ID 11697 [Where the originator has not agreed with stipulated that the acknowledgment of receipt of electronic record be given in a particular form or by a particular method, an acknowledgment may be given by any communication by the addressee, automated or otherwise; or § IV.12 (1)(a) Where the originator has not agreed with stipulated that the acknowledgment of receipt of electronic record be given in a particular form or by a particular method, an acknowledgment may be given by any conduct of the addressee, sufficient to indicate to the originator that the electronic record has been received. § IV.12 (1)(b) if the addressee has designated a computer resource for the purpose of receiving electronic records if the electronic record is sent to a computer resource of the addressee that is not the designated computer resource, receipt occurs at the time when the electronic record is retrieved by the addressee; § IV.13 (2)(a)(ii) {refrain from sending} Where the originator has stipulated that the electronic record shall be binding only on receipt of an acknowledgment of such electronic record by him, then unless acknowledgment has been so received, the electronic record shall be deemed to have been never sent by the originator. § IV.12 (2)] | Records management | Preventive | |
| Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records management | Preventive | |
| Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records management | Preventive | |
| Compare each record's data input to its final form. CC ID 11813 | Records management | Detective | |
| Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Detective | |
| Establish and maintain access controls for all records. CC ID 00371 | Records management | Preventive | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records management | Preventive | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Preventive | |
| Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Preventive | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Preventive | |
| Establish and maintain an error suspense file for rejected transactions. CC ID 06623 | Records management | Preventive | |
| Review and approve output exceptions. CC ID 06625 | Records management | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record. § II.3.(2)] | Technical security | Preventive | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical security | Preventive | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Preventive | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Preventive | |
| Bind keys to each identity. CC ID 12337 [The private key and the public key are unique to the subscriber and constitute a functioning key pair. § II.3.(4) Any person by the use of a public key of the subscriber can verify the electronic record. § II.3.(3)] | Technical security | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 [The private key and the public key are unique to the subscriber and constitute a functioning key pair. § II.3.(4)] | Technical security | Preventive | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical security | Preventive | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Preventive | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Preventive | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Preventive | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Preventive | |
| Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical security | Preventive | |
| Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 | Technical security | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Preventive | |
| Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 [Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his Digital Signature § II.3.(1) Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document should be signed or bear the signature of any person then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of digital signature affixed in such manner as may be prescribed by the Central Government. § III.5 ¶ 1 The Central Government may, for the purposes of this Act, by rules, prescribe the type of Electronic Signature; § III.10. ¶ 1(a) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which- may be specified in the Second Schedule § II.3A (1)(b) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which- § II.3A (1) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which- is considered reliable ; and § II.3A (1)(a)] | Records management | Preventive | |
| Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 | Records management | Preventive | |
| Validate transactions using identifiers and credentials. CC ID 13203 | Records management | Preventive | |
| Establish, implement, and maintain electronic storage media security controls. CC ID 13204 | Records management | Preventive | |
| Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Preventive | |
| Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Preventive | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Preventive | |
| Provide encryption for different types of electronic storage media. CC ID 00945 | Records management | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Detective | |
| Implement non-repudiation for transactions. CC ID 00567 | Technical security | Detective | |
| Test and inspect assets under full load working conditions. CC ID 06356 | Physical and environmental protection | Detective | |
| Maintain continued integrity for all stored data and stored records. CC ID 00969 [Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification. § V.14 ¶ 1] | Records management | Detective | |
| Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Detective | |
| Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Detective | |
| Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 | Records management | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Technical security | Data and Information Management | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Technical security | Data and Information Management | |
| Remove non-public information from publicly accessible systems. CC ID 14246 | Records management | Data and Information Management | |
| Downgrade electronic storage media, as necessary. CC ID 10621 | Records management | Process or Activity | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Testing | |
| Implement non-repudiation for transactions. CC ID 00567 | Technical security | Testing | |
| Test and inspect assets under full load working conditions. CC ID 06356 | Physical and environmental protection | Testing | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data retention program. CC ID 00906 | Records management | Establish/Maintain Documentation | |
| Maintain continued integrity for all stored data and stored records. CC ID 00969 [Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification. § V.14 ¶ 1] | Records management | Testing | |
| Establish, implement, and maintain source document authorization tracking. CC ID 01262 | Records management | Records Management | |
| Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988 | Records management | Business Processes | |
| Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008 | Records management | Process or Activity | |
| Review the electronic storage media for the information the organization collects and processes. CC ID 13009 | Records management | Process or Activity | |
| Establish, implement, and maintain source document error handling tracking. CC ID 01263 | Records management | Records Management | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Records management | Monitor and Evaluate Occurrences | |
| Validate transactions against master files of third parties and clients, as necessary. CC ID 06552 | Records management | Records Management | |
| Establish, implement, and maintain data accuracy controls. CC ID 00921 | Records management | Monitor and Evaluate Occurrences | |
| Capture the records required by organizational compliance requirements. CC ID 00912 | Records management | Records Management | |
| Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Data and Information Management | |
| Identify patient-specific education resources. CC ID 14439 | Records management | Process or Activity | |
| Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Data and Information Management | |
| Control error handling when data is being inputted. CC ID 00922 | Records management | Data and Information Management | |
| Compare each record's data input to its final form. CC ID 11813 | Records management | Records Management | |
| Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Records Management | |
| Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935 | Records management | Monitor and Evaluate Occurrences | |
| Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944 | Records management | Testing | |
| Provide audit trails for all pertinent records. CC ID 00372 [Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form,- the details which will facilitate the identification of the origin, destination, date and time of dispatch or receipt of such electronic record are available in the electronic record: § III.7 (1)(c)] | Records management | Establish/Maintain Documentation | |
| Identify electronic storage media that require downgrading. CC ID 10620 | Records management | Process or Activity | |
| Test the storage media downgrade for correct performance. CC ID 10623 | Records management | Testing | |
| Establish, implement, and maintain output balancing audit trails. CC ID 00928 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929 | Records management | Establish/Maintain Documentation | |
| Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627 | Records management | Testing | |
| Track all chargeable items in Service Level Agreements. CC ID 11616 [The appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section: § III.6A (4) The appropriate Government may also authorize any service provider authorized under sub-section (1) to collect, retain and appropriate service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service. § III.6A (2) Subject to the provisions of sub-section (2), the appropriate Government may authorize the service providers to collect, retain and appropriate service charges under this section notwithstanding the fact that there is no express provision under the Act, rule, regulation or notification under which the service is provided to collect, retain and appropriate e-service charges by the service providers. § III.6A (3)] | Third Party and supply chain oversight | Business Processes | |
| Document all chargeable items in Service Level Agreements. CC ID 00844 [Provided that the appropriate Government may specify different scale of service charges for different types of services. § III.6A (4) ¶ 1 Where any law provides for the receipt or payment of money in a particular manner, then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government. § III.6 (1)(c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Audits and Risk Management | |
| Audit policies, standards, and procedures. CC ID 12927 [Where in any law for the time being in force, there is a provision for audit of documents, records or information, that provision shall also be applicable for audit of documents, records or information processed and maintained in electronic form (ITAA 2008, Standing Committee Recommendation) § III.7A ¶ 1] | Audits and risk management | Audits and Risk Management | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record. § II.3.(2)] | Technical security | Technical Security | |
| Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Business Processes | |
| Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Technical security | Establish/Maintain Documentation | |
| Define the cryptographic boundaries. CC ID 06543 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Technical security | Establish/Maintain Documentation | |
| Implement the documented cryptographic module security functions. CC ID 06755 | Technical security | Data and Information Management | |
| Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Technical security | Establish/Maintain Documentation | |
| Document the operation of the cryptographic module. CC ID 06546 | Technical security | Establish/Maintain Documentation | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical security | Technical Security | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Data and Information Management | |
| Include the expiration date in digital signatures. CC ID 13833 | Technical security | Data and Information Management | |
| Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Data and Information Management | |
| Include the subject in digital signatures. CC ID 13832 | Technical security | Data and Information Management | |
| Include the issuer in digital signatures. CC ID 13831 | Technical security | Data and Information Management | |
| Include identifiers in the digital signature. CC ID 13829 | Technical security | Data and Information Management | |
| Generate and protect a secret random number for each digital signature. CC ID 06577 | Technical security | Establish/Maintain Documentation | |
| Establish the security strength requirements for the digital signature process. CC ID 06578 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Technical security | Establish/Maintain Documentation | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Configuration | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Technical security | Data and Information Management | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Data and Information Management | |
| Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Technical Security | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Data and Information Management | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Data and Information Management | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Technical Security | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Data and Information Management | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Process or Activity | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Process or Activity | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Communicate | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Process or Activity | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Data and Information Management | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Technical security | Communicate | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 | Technical security | Establish/Maintain Documentation | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Establish Roles | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Communicate | |
| Bind keys to each identity. CC ID 12337 [The private key and the public key are unique to the subscriber and constitute a functioning key pair. § II.3.(4) Any person by the use of a public key of the subscriber can verify the electronic record. § II.3.(3)] | Technical security | Technical Security | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Establish/Maintain Documentation | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Establish/Maintain Documentation | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Data and Information Management | |
| Generate strong cryptographic keys. CC ID 01299 | Technical security | Data and Information Management | |
| Generate unique cryptographic keys for each user. CC ID 12169 [The private key and the public key are unique to the subscriber and constitute a functioning key pair. § II.3.(4)] | Technical security | Technical Security | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Data and Information Management | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical security | Technical Security | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 | Technical security | Data and Information Management | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Data and Information Management | |
| Store cryptographic keys securely. CC ID 01298 | Technical security | Data and Information Management | |
| Restrict access to cryptographic keys. CC ID 01297 | Technical security | Data and Information Management | |
| Store cryptographic keys in encrypted format. CC ID 06084 | Technical security | Data and Information Management | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Technical Security | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Establish/Maintain Documentation | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Technical security | Data and Information Management | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Data and Information Management | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Technical security | Data and Information Management | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Technical security | Data and Information Management | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Technical Security | |
| Archive outdated cryptographic keys. CC ID 06884 | Technical security | Data and Information Management | |
| Archive revoked cryptographic keys. CC ID 11819 | Technical security | Data and Information Management | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Establish/Maintain Documentation | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Technical security | Human Resources Management | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Data and Information Management | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Establish/Maintain Documentation | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Establish Roles | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Establish/Maintain Documentation | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Establish/Maintain Documentation | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Establish/Maintain Documentation | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Establish/Maintain Documentation | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Establish/Maintain Documentation | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Technical Security | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Technical Security | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Technical security | Establish/Maintain Documentation | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Technical security | Establish/Maintain Documentation | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Establish/Maintain Documentation | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Establish/Maintain Documentation | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Technical Security | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Records Management | |
| Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical security | Technical Security | |
| Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical security | Technical Security | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 | Technical security | Technical Security | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Configuration | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Technical Security | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Technical Security | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Establish/Maintain Documentation | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Technical Security | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Technical Security | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain facility maintenance procedures. CC ID 00710 | Physical and environmental protection | Establish/Maintain Documentation | |
| Inspect and maintain the facility and supporting assets. CC ID 06345 [The appropriate Government may, for the purposes of this Chapter and for efficient delivery of services to the public through electronic means authorize, by order, any service provider to set up, maintain and upgrade the computerized facilities and perform such other services as it may specify, by notification in the Official Gazette. § III.6A (1)] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a record classification scheme. CC ID 00914 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic signature requirements. CC ID 06219 [The Central Government may, for the purposes of this Act, by rules, prescribe the manner or procedure which facilitates identification of the person affixing the Electronic Signature; § III.10. ¶ 1(c) The Central Government may, for the purposes of this Act, by rules, prescribe any other matter which is necessary to give legal effect to Electronic Signature. § III.10. ¶ 1(e) An electronic signature shall be deemed to be a secure electronic signature if- the signature creation data was stored and affixed in such exclusive manner as may be prescribed § V.15 ¶ 1(ii) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- it fulfills such other conditions which may be prescribed. § II.3A (2)(e) The Central Government may, for the purposes of this Act, by rules, prescribe the manner and format in which the Electronic Signature shall be affixed; § III.10. ¶ 1(b) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- any alteration to the information made after its authentication by electronic signature is detectable; and § II.3A (2)(d) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- any alteration to the electronic signature made after affixing such signature is detectable § II.3A (2)(c) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- the signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or, as the case may be, the authenticator and of no other person; § II.3A (2)(a) An electronic signature shall be deemed to be a secure electronic signature if- the signature creation data, at the time of affixing signature, was under the exclusive control of signatory and no other person; and § V.15 ¶ 1(i) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if- the signature creation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and of no other person; § II.3A (2)(b)] | Records management | Establish/Maintain Documentation | |
| Implement a signature revocation service. CC ID 14417 | Records management | Business Processes | |
| Allow electronic signatures to satisfy requirements for written signatures, as necessary. CC ID 11807 | Records management | Records Management | |
| Allow authorized parties to authenticate electronic records with electronic signatures. CC ID 11964 [Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his Digital Signature § II.3.(1) Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document should be signed or bear the signature of any person then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of digital signature affixed in such manner as may be prescribed by the Central Government. § III.5 ¶ 1 The Central Government may, for the purposes of this Act, by rules, prescribe the type of Electronic Signature; § III.10. ¶ 1(a) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which- may be specified in the Second Schedule § II.3A (1)(b) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which- § II.3A (1) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which- is considered reliable ; and § II.3A (1)(a)] | Records management | Technical Security | |
| Allow authorized parties to authenticate transactions with electronic signatures. CC ID 11963 | Records management | Technical Security | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 [Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, - § III.7 (1)] | Records management | Records Management | |
| Establish, implement, and maintain secure record transaction standards with third parties. CC ID 06093 | Records management | Establish/Maintain Documentation | |
| Include transfer agreements in the secure record transaction standards. CC ID 14821 [Save as otherwise agreed to between the originator and the addressee, the dispatch of an electronic record occurs when it enters a computer resource outside the control of the originator. § IV.13 (1)] | Records management | Establish/Maintain Documentation | |
| Include date and time stamp requirements for delivery receipt in the transfer agreements. CC ID 14823 [Save as otherwise agreed between the originator and the addressee, the time of receipt of an electronic record shall be determined as follows, namely - if the addressee has not designated a computer resource along with specified timings, if any, receipt occurs when the electronic record enters the computer resource of the addressee. § IV.13 (2)(b) Where the originator has not stipulated that the electronic record shall be binding only on receipt of such acknowledgment, and the acknowledgment has not been received by the originator within the time specified or agreed or, if no time has been specified or agreed to within a reasonable time, then the originator may give notice to the addressee stating that no acknowledgment has been received by him and specifying a reasonable time by which the acknowledgment must be received by him and if no acknowledgment is received within the aforesaid time limit he may after giving notice to the addressee, treat the electronic record as though it has never been sent. § IV.12 (3)] | Records management | Establish/Maintain Documentation | |
| Include receipt of electronic records in the transfer agreement. CC ID 14822 [if the addressee has designated a computer resource for the purpose of receiving electronic records receipt occurs at the time when the electronic record enters the designated computer resource; or § IV.13 (a)(i)] | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain records management procedures. CC ID 11619 [{control procedure} The Central Government may, for the purposes of this Act, by rules, prescribe control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records or payments; and § III.10. ¶ 1(d) {Where any law provides for} {then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government} the issue or grant of any license, permit, sanction or approval by whatever name called in a particular manner; § III.6 (1)(b)] | Records management | Establish/Maintain Documentation | |
| Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806 [Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form,- the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; § III.7 (1)(b) Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is rendered or made available in an electronic form; and § III.4 ¶ 1(a) Nothing contained in sections 6, 7 and 8 shall confer a right upon any person to insist that any Ministry or Department of the Central Government or the State Government or any authority or body established by or under any law or controlled or funded by the Central or State Government should accept, issue, create, retain and preserve any document in the form of electronic records or effect any monetary transaction in the electronic form. § III.9 ¶ 1 Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is accessible so as to be usable for a subsequent reference § III.4 ¶ 1(b)] | Records management | Records Management | |
| Process restricted information in a secure environment. CC ID 13058 | Records management | Process or Activity | |
| Refrain from creating printed records as copies of electronic records. CC ID 11808 | Records management | Records Management | |
| Assign ownership for all electronic records. CC ID 14814 [An electronic record shall be attributed to the originator § IV.11 ¶ 1] | Records management | Establish/Maintain Documentation | |
| Attribute electronic records, as necessary. CC ID 14820 [An electronic record shall be attributed to the originator if it was sent by the originator himself; § IV.11 ¶ 1(a) An electronic record shall be attributed to the originator by an information system programmed by or on behalf of the originator to operate automatically. § IV.11 ¶ 1(c) An electronic record shall be attributed to the originator by a person who had the authority to act on behalf of the originator in respect of that electronic record; or § IV.11 ¶ 1(b)] | Records management | Establish/Maintain Documentation | |
| Validate transactions using identifiers and credentials. CC ID 13203 | Records management | Technical Security | |
| Establish, implement, and maintain a system storage log. CC ID 13532 | Records management | Records Management | |
| Establish, implement, and maintain a system input log. CC ID 13531 | Records management | Establish/Maintain Documentation | |
| Protect records from loss in accordance with applicable requirements. CC ID 12007 | Records management | Records Management | |
| Establish, implement, and maintain data completeness controls. CC ID 11649 | Records management | Process or Activity | |
| Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Establish/Maintain Documentation | |
| Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Establish/Maintain Documentation | |
| Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Establish/Maintain Documentation | |
| Include the person's name who approved the authorization in the authorization records. CC ID 14369 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Data and Information Management | |
| Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Data and Information Management | |
| Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Records Management | |
| Display required information automatically in electronic health records. CC ID 14442 | Records management | Process or Activity | |
| Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Establish/Maintain Documentation | |
| Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Actionable Reports or Measurements | |
| Create export summaries, as necessary. CC ID 14446 | Records management | Process or Activity | |
| Import data files into a patient's electronic health record. CC ID 14448 | Records management | Data and Information Management | |
| Export requested sections of the electronic health record. CC ID 14447 | Records management | Data and Information Management | |
| Establish and maintain an implantable device list. CC ID 14444 | Records management | Records Management | |
| Display the implantable device list to authorized users. CC ID 14445 | Records management | Data and Information Management | |
| Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Business Processes | |
| Include attributes in the decision support intervention. CC ID 16766 | Records management | Data and Information Management | |
| Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Records Management | |
| Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Records Management | |
| Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Records Management | |
| Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Records Management | |
| Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Records Management | |
| Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Log Management | |
| Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Log Management | |
| Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Establish/Maintain Documentation | |
| Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Log Management | |
| Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Log Management | |
| Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Log Management | |
| Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Log Management | |
| Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Log Management | |
| Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Log Management | |
| Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Log Management | |
| Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Log Management | |
| Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Log Management | |
| Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Log Management | |
| Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Log Management | |
| Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Log Management | |
| Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Log Management | |
| Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Records Management | |
| Log any notices filed by the organization into the recordkeeping system. CC ID 11725 [{Where any law provides for} {then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government} the filing of any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government in a particular manner; § III.6 (1)(a)] | Records management | Log Management | |
| Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Log Management | |
| Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Log Management | |
| Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Log Management | |
| Provide a receipt of records logged into the recordkeeping system. CC ID 11697 [Where the originator has not agreed with stipulated that the acknowledgment of receipt of electronic record be given in a particular form or by a particular method, an acknowledgment may be given by any communication by the addressee, automated or otherwise; or § IV.12 (1)(a) Where the originator has not agreed with stipulated that the acknowledgment of receipt of electronic record be given in a particular form or by a particular method, an acknowledgment may be given by any conduct of the addressee, sufficient to indicate to the originator that the electronic record has been received. § IV.12 (1)(b) if the addressee has designated a computer resource for the purpose of receiving electronic records if the electronic record is sent to a computer resource of the addressee that is not the designated computer resource, receipt occurs at the time when the electronic record is retrieved by the addressee; § IV.13 (2)(a)(ii) {refrain from sending} Where the originator has stipulated that the electronic record shall be binding only on receipt of an acknowledgment of such electronic record by him, then unless acknowledgment has been so received, the electronic record shall be deemed to have been never sent by the originator. § IV.12 (2)] | Records management | Records Management | |
| Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Log Management | |
| Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Log Management | |
| Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Log Management | |
| Establish, implement, and maintain data availability controls. CC ID 15301 | Records management | Data and Information Management | |
| Include record integrity techniques in the records management procedures. CC ID 06418 | Records management | Establish/Maintain Documentation | |
| Note in electronic records converted from printed records, the location of the original. CC ID 11809 | Records management | Records Management | |
| Incorporate desktop publishing into the organization's Records Management program. CC ID 06535 | Records management | Establish/Maintain Documentation | |
| Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009 | Records management | Business Processes | |
| Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010 | Records management | Business Processes | |
| Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011 [{is accessible} Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form,- the information contained therein remains accessible so as to be usable for a subsequent reference; § III.7 (1)(a)] | Records management | Business Processes | |
| Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012 | Records management | Business Processes | |
| Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965 | Records management | Records Management | |
| Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013 | Records management | Business Processes | |
| Establish, implement, and maintain electronic storage media security controls. CC ID 13204 | Records management | Technical Security | |
| Use automated entry devices to reduce errors during data input. CC ID 06626 | Records management | Data and Information Management | |
| Establish, implement, and maintain data processing integrity controls. CC ID 00923 | Records management | Establish Roles | |
| Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Process or Activity | |
| Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Data and Information Management | |
| Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain document security requirements for the output of records. CC ID 11656 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security label procedures. CC ID 06747 | Records management | Establish/Maintain Documentation | |
| Label restricted storage media appropriately. CC ID 00966 | Records management | Data and Information Management | |
| Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Establish/Maintain Documentation | |
| Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Establish/Maintain Documentation | |
| Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Establish/Maintain Documentation | |
| Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Data and Information Management | |
| Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957 | Records management | Technical Security | |
| Establish the minimum originator requirements for security labels. CC ID 06579 | Records management | Establish/Maintain Documentation | |
| Establish the minimum intermediate system requirements for security labels. CC ID 06581 | Records management | Establish/Maintain Documentation | |
| Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580 | Records management | Establish/Maintain Documentation | |
| Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582 | Records management | Establish/Maintain Documentation | |
| Establish and maintain access controls for all records. CC ID 00371 | Records management | Records Management | |
| Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202 | Records management | Data and Information Management | |
| Establish, implement, and maintain a records lifecycle management program. CC ID 00951 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information preservation policy. CC ID 16483 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain information preservation procedures. CC ID 06277 | Records management | Establish/Maintain Documentation | |
| Implement and maintain high availability storage, as necessary. CC ID 00952 | Records management | Technical Security | |
| Implement and maintain backups and duplicate copies of organizational records. CC ID 00953 | Records management | Records Management | |
| Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954 | Records management | Records Management | |
| Establish, implement, and maintain a transparent storage media strategy. CC ID 00932 | Records management | Records Management | |
| Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain online storage controls. CC ID 00942 | Records management | Technical Security | |
| Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943 | Records management | Records Management | |
| Provide encryption for different types of electronic storage media. CC ID 00945 | Records management | Technical Security | |
| Implement electronic storage media integrity controls. CC ID 00946 | Records management | Configuration | |
| Automate electronic storage media integrity check controls. CC ID 00948 | Records management | Configuration | |
| Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950 | Records management | Configuration | |
| Establish, implement, and maintain a removable storage media log. CC ID 12317 | Records management | Log Management | |
| Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320 | Records management | Establish/Maintain Documentation | |
| Include the date and time in the removable storage media log. CC ID 12318 | Records management | Establish/Maintain Documentation | |
| Include the name and signature of the current custodian in the removable storage media log. CC ID 12315 | Records management | Establish/Maintain Documentation | |
| Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 | Records management | Establish/Maintain Documentation | |
| Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753 | Records management | Establish/Maintain Documentation | |
| Include the sender's name in the removable storage media log. CC ID 12752 | Records management | Establish/Maintain Documentation | |
| Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 | Records management | Establish/Maintain Documentation | |
| Include the reason for transfer in the removable storage media log. CC ID 12316 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain storage media downgrading procedures. CC ID 10619 | Records management | Process or Activity | |
| Document all actions taken when downgrading electronic storage media. CC ID 10622 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain output distribution procedures. CC ID 00927 | Records management | Establish/Maintain Documentation | |
| Include printed output in output distribution procedures. CC ID 13477 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain document retention procedures. CC ID 11660 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain electronic media distribution procedures. CC ID 11650 | Records management | Establish/Maintain Documentation | |
| Establish and maintain an error suspense file for rejected transactions. CC ID 06623 | Records management | Records Management | |
| Establish and maintain reconciliation audit trails. CC ID 11647 | Records management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data processing output log. CC ID 06624 | Records management | Log Management | |
| Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930 | Records management | Establish/Maintain Documentation | |
| Review and approve output exceptions. CC ID 06625 | Records management | Records Management | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{be enforceable} {electronic means} Where in a contract formation, the communication of proposals, the acceptance of proposals, the revocation of proposals and acceptances, as the case may be, are expressed in electronic form or by means of an electronic record, such contract shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose. § III.10A ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 | Third Party and supply chain oversight | Process or Activity | |